Suggestion Remove Old installs from public view

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,046
This morning I got a lovely email from Taz saying my premium membership had expired................I havent had a premium for years and then realised the email was entitled "admin extra". Clicking the link nicely lead me to your pre-imported Admin Extra install which among all things has brivium addons installed.

The install also seems to be running older versions of XF, since its located in a /old_sites/ folder it would it also be safe to assume there is more scripts, maybe from the other couple of boards which were imported into TAZ ?

Regardless not good form to leave old scripts full active and out of date in publicly accessible folders....................especially when they contain user data and have clearly suspect addons installed. Whether they are blocked off from search engines and directory indexing or not , as you can see that isnt fool proof since I found it.

Link removed ( by Me ) now people are aware of it.
 
Last edited:

Lisa

Chaotically Proportional
Joined
Jan 6, 2004
Messages
27,514
Weird. I'm sure that was htaccess protected a little while ago.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,862
Probably an automated date stamp to keep things current.
In the bottom of the screen:
Forum software by XenForo™ ©2010-2014 XenForo Ltd.
Brivium updated automagically, XenForo left out?
 

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,046
Automated date stamp, i.e using current year as the last year entry. Xenforo obviously doesnt ( or didnt ) do that and since its an old install in that directory Its showing the dates of which that version represents.
 

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,046
Ive removed the link from my post anyway, just incase someone tries their luck.
 

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,046
I think the more concerning issue is that it still has brivium mods installed.
Cant remember exactly when Adex was migrated into Taz but at a guess id have to say it was a couple of years ago ? If nothing has been updated since then there could be a host of vulnerabilities its open to brivium or no brivium ( just speculating, not 100% sure of the version but its old I know that ).
 

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,046
No official explanation as to why everything was left vulnerable and easily accessible then or a thanks for making us aware instead of leaving it to rot further ? I get the feeling this has become a "sssshhh don't move, they might not see us" situation and its been brushed aside. You've got off lightly I think ......With the outrage of previous hacks and data leaks im surprised more members haven't raised concerns and asked for reasoning why this wasnt picked up when you "last tightened security" , that's a pretty fookin big lapse if you ask me..................almost as big as allowing 30 admins full permissions ( **please note 30 is an exaggeration but it adds weight to the statement so ill use it anyway )

All jokes aside, No comments what so ever from anyone in the know ? how this could possibly be left....... its yet again a neglectful act for member data, If you had been located in the UK I'm sure the ICO would have been informed by now with lessons on how to handle personal data.

Note im not trying to make a big thing of this, but I kind of did expect some kind of statement/reassurance.
 
Last edited:

mysiteguy

Fanatic
Joined
Feb 20, 2007
Messages
3,017
Not a criticism, just a suggestion for anyone reporting possible security issues in the future:

I suggest reporting possible security issues privately first, to give the party notified a chance to deal with it before exposing it to the public. Then once it is addressed, report it publicly if the party fails to report it (or fix it).​

That's how I handled it when I found SQL injection security issues in some big name paid VB plugins.
 

Danielx64

Developer
Joined
Nov 8, 2009
Messages
3,330
On a slightly different matter does anyone think that those sites were used to hack into the main current site?

Also does it have to be the owner who located in the UK? Other admins could be held accountable or not?

And who put the server on fire? Been getting gateway error for quite some time.
 
Top