Ok, so this idea came to me on the stage when we’ve been launching SymfonyLab.com. I was going to review here existing symfony-based sites and I want finally to start doing that. I’m not a hacker and I’m not going to crack those resources. I’m also not security expert and the only reason why I’m doing that – it’s some kind of fun for me and it’s of course some warning for the resource owners and also it’s probably a ring for sites developers. Actually, what I want to finally reach – to help site owners to protect their sites a bit. Maybe when they will find their sites here – they will urgently protect/fix them or at least kick some developers asses 🙂
Today lets take a look into the first site I’ve took out of symfony’s sites list: williamanderson.ca
So as it seems to me – the most popular problem of symfony sites – developers forget to delete _dev.php files from production server. And as a result we may figure out some interesting information about this site. I dont think this information is really critical but this can be helpfull for the hackers. So what we may figure out from here:
Not too much but first thing is that here is not turned off eaccelerator (in dev mode cache is also disabled but this can be only per dev mode so we cant be 100% assured). Maybe that’s the reason why this site is loading so slowly?
The other thing I’ve noticed that computer name where this site is hosted is called:
Hey guys, that’s my wife’s name. What a good shot! Well, what else.. NUMBER_OF_PROCESSORS: 2, php: 5.1.2
os: Windows NT NATALIE 5.2 build 3790. Interesting?
Developer uses quite simple set of modules and based on configuration variables and dump of SQL requests it’s generally possible to obtain good vision of project architecture, e.g. here is set of custom classes
so there are only 2 tables photo and content. I think there is no users table so the most probably password is hardcoded (and maybe not even crypted!). Here are samples of SQL requests, so I was right about that :
SELECT wa_content.ID, wa_content.TYPE, wa_content.BODY, wa_content.CREATED_AT, wa_content.UPDATED_AT FROM wa_content WHERE wa_content.ID=2
SELECT wa_photo.ID, wa_photo.NAME, wa_photo.DESCRIPTION, wa_photo.SORT_ORDER, wa_photo.PHOTO, wa_photo.THUMBNAIL, wa_photo.FEATURED, wa_photo.VIEWABLE, wa_photo.CREATED_AT, wa_photo.UPDATED_AT FROM wa_photo WHERE wa_photo.FEATURED=1 LIMIT 1
I wish I can see full info in “log and debug messages” but only stars are there 🙁
+340 Creole connect(): DSN: array ( ‘database’ => ‘****’, ‘hostspec’ => ‘****’, ‘password’ => ‘****’, ‘phptype’ => ‘****’, ‘port’ => ‘****’, ‘username’ => ‘****’, ), FLAGS: 0
The other thing that was not complicated to figure out – admin access, I think most of developers use either standard “backend” way to determine admin access or like in case of this site – self-written authorization, and here it is:
Of course, I dont want to provide here information which way it’s possible to login into admin area but believe me this is not a big deal with only password field and no IP blocking. So dear William Anderson please contact your developer and ask him to secure your backend. At least that’s what I’d do ASAP if I were on your place.
Of course this is too simple site for good investigation. Also I think such kind of sites can be launched based on WP engine. I dont see the reason to waste time/money on re-inventing the wheel when this can be done in 2 hours with using of existing free open-source software. Using NextGen or another kind of gallery plugin it’s really simple and much more secure I believe.
As for the actual content of this site – Mr. William Anderson my hat off. I really love the photos you made.