Dec 13
Digg
Stumbleupon
Technorati
Delicious

Review of WilliamAnderson.ca

Ok, so this idea came to me on the stage when we’ve been launching SymfonyLab.com. I was going to review here existing symfony-based sites and I want finally to start doing that. I’m not a hacker and I’m not going to crack those resources. I’m also not security expert and the only reason why I’m doing that – it’s some kind of fun for me and it’s of course some warning for the resource owners and also it’s probably a ring for sites developers. Actually, what I want to finally reach – to help site owners to protect their sites a bit. Maybe when they will find their sites here – they will urgently protect/fix them or at least kick some developers asses 🙂

Today lets take a look into the first site I’ve took out of symfony’s sites list: williamanderson.ca

So as it seems to me – the most popular problem of symfony sites – developers forget to delete _dev.php files from production server. And as a result we may figure out some interesting information about this site. I dont think this information is really critical but this can be helpfull for the hackers. So what we may figure out from here:

http://www.williamanderson.ca/frontend_dev.php

Not too much but first thing is that here is not turned off eaccelerator (in dev mode cache is also disabled but this can be only per dev mode so we cant be 100% assured). Maybe that’s the reason why this site is loading so slowly?
The other thing I’ve noticed that computer name where this site is hosted is called:

COMPUTERNAME: NATALIE

Hey guys, that’s my wife’s name. What a good shot! Well, what else.. NUMBER_OF_PROCESSORS: 2, php: 5.1.2
os: Windows NT NATALIE 5.2 build 3790. Interesting?

Developer uses quite simple set of modules and based on configuration variables and dump of SQL requests it’s generally possible to obtain good vision of project architecture, e.g. here is set of custom classes

myTools: E:\www\wa\lib\myTools.class.php
photoTools: E:\www\wa\lib\photoTools.class.php
Content: E:\www\wa\lib\model\Content.php
ContentPeer: E:\www\wa\lib\model\ContentPeer.php
ContentMapBuilder: >
E:\www\wa\lib\model\map\ContentMapBuilder.php
PhotoMapBuilder: >
E:\www\wa\lib\model\map\PhotoMapBuilder.php
BaseContent: E:\www\wa\lib\model\om\BaseContent.php
BaseContentPeer: >
E:\www\wa\lib\model\om\BaseContentPeer.php
BasePhoto: E:\www\wa\lib\model\om\BasePhoto.php
BasePhotoPeer: E:\www\wa\lib\model\om\BasePhotoPeer.php
Photo: E:\www\wa\lib\model\Photo.php
PhotoPeer: E:\www\wa\lib\model\PhotoPeer.php

so there are only 2 tables photo and content. I think there is no users table so the most probably password is hardcoded (and maybe not even crypted!). Here are samples of SQL requests, so I was right about that :

SELECT wa_content.ID, wa_content.TYPE, wa_content.BODY, wa_content.CREATED_AT, wa_content.UPDATED_AT FROM wa_content WHERE wa_content.ID=2

SELECT wa_photo.ID, wa_photo.NAME, wa_photo.DESCRIPTION, wa_photo.SORT_ORDER, wa_photo.PHOTO, wa_photo.THUMBNAIL, wa_photo.FEATURED, wa_photo.VIEWABLE, wa_photo.CREATED_AT, wa_photo.UPDATED_AT FROM wa_photo WHERE wa_photo.FEATURED=1 LIMIT 1

I wish I can see full info in “log and debug messages” but only stars are there 🙁

+340 Creole connect(): DSN: array ( ‘database’ => ‘****’, ‘hostspec’ => ‘****’, ‘password’ => ‘****’, ‘phptype’ => ‘****’, ‘port’ => ‘****’, ‘username’ => ‘****’, ), FLAGS: 0

The other thing that was not complicated to figure out – admin access, I think most of developers use either standard “backend” way to determine admin access or like in case of this site – self-written authorization, and here it is:

http://www.williamanderson.ca/admin.php

Of course, I dont want to provide here information which way it’s possible to login into admin area but believe me this is not a big deal with only password field and no IP blocking. So dear William Anderson please contact your developer and ask him to secure your backend. At least that’s what I’d do ASAP if I were on your place.

Of course this is too simple site for good investigation. Also I think such kind of sites can be launched based on WP engine. I dont see the reason to waste time/money on re-inventing the wheel when this can be done in 2 hours with using of existing free open-source software. Using NextGen or another kind of gallery plugin it’s really simple and much more secure I believe.

As for the actual content of this site – Mr. William Anderson my hat off. I really love the photos you made.

Good night!


Author: symfonian

6 Comments

Ryan Weaver
December 13, 2007

Ha, scary, I love it. Very nice. I HATE getting rid of the dev files in production – makes my life more difficult later. Does anybody know a good way of simple password protecting them without screwing up your rewrites?

Ryan

admin
December 14, 2007

I dont think you may password-protect these kind of files. But if you will rename them, e.g. frontend_mydev.php – noone will figure out how to call them. IMHO the problem of _dev file – they have standard names.

halfer
December 14, 2007

If you’re going to provide information about security faults about someone else’s site, it would be a good idea to send the webmaster an email with a link to your findings (ideally before you publish) so that they can fix the issues asap.

admin
December 15, 2007

Totally agree, I’d never publish a direct info about security fault. Am going only give an attention to weak places where possible problems may appear.

nerVo
December 16, 2007

I think that images are directly taken from DB, that’s why the site is so slowly.

[…] nerVo: I think that images are directly taken from DB, that’s why t… […]

Comments RSS TrackBack Identifier URI

Leave a comment