[Mailman-Developers] Off topic: a cautionary tale.

Chuq Von Rospach chuqui@plaidworks.com
Tue, 30 Jul 2002 00:18:47 -0700 

    
Just because it's too much fun to not pass along, and a useful cautionary
tale. Fortunately, the person this happened to has a sense of humor about
it...

A friend of mine was working on his home web site. It was a bunch of stuff,
back-ended by mySQL. He was, for instance, installing a search engine (using
htDig) for the content, but it wasn't cooperating and he was trying to
figure out why.

Suddenly, the site goes dark. He can't log into it. He starts snooping, he
can't get into MySQL. Uh, oh.  (oh. No backups, either).

The entire site implodes. He finally gives up, goes into the web logs to see
what happens, thinking he got hacked.

Well, not quite. 

One of the tools he installed was phpMyAdmin to administer the MySQL stuff.
He installed it behind a .htaccess file like you're supposed to. But what he
didn't realize was the .htaccess file wasn't working right, letting anything
in. 

What got in was -- htDig, the search engine. Which happily follows all
links, including, if you let it spider phpMyAdmin, the "delete this
database" links. Including the database holding all of the MySQL
configuration and account info. Which causes MySQL to die. Which...

You get the picture. His search engine got into his database and deleted all
of his data, because while it wasn't working, it COULD spider. And it got
into an area it shouldn't have gotten into, even though it wasn't linked on
the web site.

How's that, you ask? How did HtDIG find it?

Well -- one of the other things he'd added was log processing. Including
referer tracking. And one of the links the logs showed was a referer link
back to the phpMyAdmin pages. So by spidering the web log data, HtDIG found
a link into phpMyAdmin, which was supposed to be password protected but
wasn't, which let htDig become a DBA, which let HtDIG delete all of the
data... 

When you build systems, do you think through the side effects of what you're
doing? What are you missing? (and would you have ever figured out why this
happened to you? I wonder if I would have.... )

Happy hacking... But be careful out there.




-- 
Chuq Von Rospach, Architech
chuqui@plaidworks.com -- http://www.chuqui.com/

The Cliff's Notes Cliff's Notes on Hamlet:
    And they all died happily ever after