Subscribe to:

The Kiwi's TaleWitchBlasterDerelict Blow Stuff Up

How not to run a Drupal site

As you may have heard, the personal details of hundreds of NZ Labour party supporters has been aquired by notorious Right Wing blogger Whale Oil.

How did he pull it off? SQL injection? Brute force password attack? Oh no. Something far, far more simple. No one in their right mind could consider this to be any sort of hack.

And you thought Sony's IT security was incompetent!

To surmise, the steps involved in Whale's so called "Malicious breach" that "Exploited" a "Security vulnerability" was this:

  1. Visit http://healthyhomesheal­thykiwis.­org.­nz.
  2. Browse the publically available directories and click the links for the MySQL databases.
  3. Profit!

There wasn't even a ????? step involved.

The moral of the story is this. If you run any website, especially if you're using Drupal, especially if you use the Backup and Migrate module, and especially if you have plans to run the country, turn off directory browsing.



Joined: 05/05/2009

TL;DW - But I get the point.