So I’m a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.
MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?
Err…
The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.
Now, let’s think about that for a second.
A large, busy Web site–a Web site dedicated to, among other things, information about computer security updates–is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.
Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.
Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.
Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.
The current version, just for the record, is 7.2.
So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been “down for maintenance.”
D’oh.
Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?
1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
Including you, Microsoft.
Oh, that’s easy.
Jack thought Sam was doing it, Sam figured Bob had done it, and Bob assumed Jack had it all taken care of. 🙂 ~grin~
Oh, that’s easy.
Jack thought Sam was doing it, Sam figured Bob had done it, and Bob assumed Jack had it all taken care of. 🙂 ~grin~
And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
As far as an application programmer like me is concerned, yes, absolutely.
For the tools people (mainly the database vendors), though, there’s really no excuse to make all your web programmers use a near-administrator database connection and maintain their own security system that’s totally separate from the database’s security. SQL injection is the immediate problem, but the underlying problem is the fact that the users are using a connection with too many rights.
I share your sympathies and frustrations with things like this. Good man to let them know and shame on them for not paying attention (thy should know better!). I see this kind of thing oh too often within the IT world. God complex I guess, that some IT people get.
And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.
As far as an application programmer like me is concerned, yes, absolutely.
For the tools people (mainly the database vendors), though, there’s really no excuse to make all your web programmers use a near-administrator database connection and maintain their own security system that’s totally separate from the database’s security. SQL injection is the immediate problem, but the underlying problem is the fact that the users are using a connection with too many rights.
I share your sympathies and frustrations with things like this. Good man to let them know and shame on them for not paying attention (thy should know better!). I see this kind of thing oh too often within the IT world. God complex I guess, that some IT people get.
You had me at “UBB”.
You had me at “UBB”.
That is sort of ironic for MacFixit — I seem to recall that’s the site that the cranky geeks over at MWJ have called out a couple times for giving ill-considered advice, which makes it marginally more amusing still.
Forum software is notorious for this sort of thing, it seems to me: both having these sorts of broken problems in the first place, and also being most likely to be installed and then horrifically neglected by sysadmins. And have you noticed that PHP software seems to generate a disproportionate amount of suck? I think PHP is to web applications what Visual Basic is to PC applications: easy enough to get going with that people with no understanding of software engineering practice can bang something out that works in fairly short order, but that’s pretty horrifying under the hood.
That is sort of ironic for MacFixit — I seem to recall that’s the site that the cranky geeks over at MWJ have called out a couple times for giving ill-considered advice, which makes it marginally more amusing still.
Forum software is notorious for this sort of thing, it seems to me: both having these sorts of broken problems in the first place, and also being most likely to be installed and then horrifically neglected by sysadmins. And have you noticed that PHP software seems to generate a disproportionate amount of suck? I think PHP is to web applications what Visual Basic is to PC applications: easy enough to get going with that people with no understanding of software engineering practice can bang something out that works in fairly short order, but that’s pretty horrifying under the hood.
Yeah, it is chronic everywhere. PHP apps always seem to be like this.
In other news, today I discovered a compromised 2002 era Linux box running an IRC bot, and I wasn’t even trying.
Yeah, it is chronic everywhere. PHP apps always seem to be like this.
In other news, today I discovered a compromised 2002 era Linux box running an IRC bot, and I wasn’t even trying.
Thanks for the reminder. Need to upgrade the software on my server 🙂
Thanks for the reminder. Need to upgrade the software on my server 🙂
I’d like to raise a point of context – while the attitudes that you highlight and call out are deeply problematic, I actually would argue that they’re part of a backlash caused by the MPAA/RIAA/associated fuckheads.
If the people who talk about “copyright” and “intellectual property” most often, who get all the free media coverage about it, who buy bills in Congress about it, are those fuckers? Then it should be no great surprise that people think that copyright is what they say it is – and roundly reject it. If your experience of “copyright” is your videos being taken down from YouTube, your movie experience getting crappier every year, your fan-work getting DMCA takedown notices – then of course you’re going to say things like “fuck copyright!”
The rationales that people are presenting are vapid and laughable – and I’m a creator, so I’m 100% behind the principle that creators should be compensated. I think, though, that it’s important to point out that the MPAA/RIAA/AF are a major cause of this attitude. They’re not just evil because of their bullshit lawsuits and legislation-buying, but because of how they’ve elevated their lifelong role as Those Who Stab Creators In The Face to a grand scale, annihilating both present and future creativity. If the populace at large ends up rejecting the idea of intellectual property and copyright altogether, I’m going to accuse the MPAA/RIAA/AF of being more responsible for that than the Pirate Bay or the FSF, because they’re the ones who’ve taught everyone that “copyright” means lawsuits, means takedowns, means that there will be no creativity without tithing to them.
And if that was what copyright meant, I’d be against it too.
I’d like to raise a point of context – while the attitudes that you highlight and call out are deeply problematic, I actually would argue that they’re part of a backlash caused by the MPAA/RIAA/associated fuckheads.
If the people who talk about “copyright” and “intellectual property” most often, who get all the free media coverage about it, who buy bills in Congress about it, are those fuckers? Then it should be no great surprise that people think that copyright is what they say it is – and roundly reject it. If your experience of “copyright” is your videos being taken down from YouTube, your movie experience getting crappier every year, your fan-work getting DMCA takedown notices – then of course you’re going to say things like “fuck copyright!”
The rationales that people are presenting are vapid and laughable – and I’m a creator, so I’m 100% behind the principle that creators should be compensated. I think, though, that it’s important to point out that the MPAA/RIAA/AF are a major cause of this attitude. They’re not just evil because of their bullshit lawsuits and legislation-buying, but because of how they’ve elevated their lifelong role as Those Who Stab Creators In The Face to a grand scale, annihilating both present and future creativity. If the populace at large ends up rejecting the idea of intellectual property and copyright altogether, I’m going to accuse the MPAA/RIAA/AF of being more responsible for that than the Pirate Bay or the FSF, because they’re the ones who’ve taught everyone that “copyright” means lawsuits, means takedowns, means that there will be no creativity without tithing to them.
And if that was what copyright meant, I’d be against it too.
For my partners and I, preventing unwanted pregnancy is just as much of a reason to have protected sex as is preventing unwanted STI’s. I do agree, though, that making a rule about it is not the best way. I like the way you broke down the reasoning process. Well written.
For my partners and I, preventing unwanted pregnancy is just as much of a reason to have protected sex as is preventing unwanted STI’s. I do agree, though, that making a rule about it is not the best way. I like the way you broke down the reasoning process. Well written.