?

Log in

No account? Create an account

Previous Entry | Next Entry

Security is hard...

So I'm a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.

MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?

Err...

The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.

Now, let's think about that for a second.

A large, busy Web site--a Web site dedicated to, among other things, information about computer security updates--is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.

Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.

Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.

Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.

The current version, just for the record, is 7.2.

So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been "down for maintenance."

D'oh.

Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?




1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.

Including you, Microsoft.


Comments

( 8 comments — Leave a comment )
kijeren
Apr. 24th, 2008 03:20 pm (UTC)
Oh, that's easy.

Jack thought Sam was doing it, Sam figured Bob had done it, and Bob assumed Jack had it all taken care of. :-) ~grin~
pstscrpt
Apr. 24th, 2008 05:14 pm (UTC)
And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
As far as an application programmer like me is concerned, yes, absolutely.

For the tools people (mainly the database vendors), though, there's really no excuse to make all your web programmers use a near-administrator database connection and maintain their own security system that's totally separate from the database's security. SQL injection is the immediate problem, but the underlying problem is the fact that the users are using a connection with too many rights.
sbernard16
Apr. 24th, 2008 07:58 pm (UTC)
I share your sympathies and frustrations with things like this. Good man to let them know and shame on them for not paying attention (thy should know better!). I see this kind of thing oh too often within the IT world. God complex I guess, that some IT people get.
slate_canada
Apr. 24th, 2008 08:07 pm (UTC)
sylvar
Apr. 24th, 2008 08:17 pm (UTC)
You had me at "UBB".
chipotle
Apr. 24th, 2008 09:48 pm (UTC)
That is sort of ironic for MacFixit -- I seem to recall that's the site that the cranky geeks over at MWJ have called out a couple times for giving ill-considered advice, which makes it marginally more amusing still.

Forum software is notorious for this sort of thing, it seems to me: both having these sorts of broken problems in the first place, and also being most likely to be installed and then horrifically neglected by sysadmins. And have you noticed that PHP software seems to generate a disproportionate amount of suck? I think PHP is to web applications what Visual Basic is to PC applications: easy enough to get going with that people with no understanding of software engineering practice can bang something out that works in fairly short order, but that's pretty horrifying under the hood.

jtroutman
Apr. 25th, 2008 02:35 am (UTC)
Yeah, it is chronic everywhere. PHP apps always seem to be like this.

In other news, today I discovered a compromised 2002 era Linux box running an IRC bot, and I wasn't even trying.

sterno
Apr. 25th, 2008 02:54 am (UTC)
Thanks for the reminder. Need to upgrade the software on my server :)
( 8 comments — Leave a comment )