Suggestion Remove Old installs from public view

[Adam H]

This morning I got a lovely email from Taz saying my premium membership had expired................I havent had a premium for years and then realised the email was entitled "admin extra". Clicking the link nicely lead me to your pre-imported Admin Extra install which among all things has brivium addons installed.

The install also seems to be running older versions of XF, since its located in a /old_sites/ folder it would it also be safe to assume there is more scripts, maybe from the other couple of boards which were imported into TAZ ?

Regardless not good form to leave old scripts full active and out of date in publicly accessible folders....................especially when they contain user data and have clearly suspect addons installed. Whether they are blocked off from search engines and directory indexing or not , as you can see that isnt fool proof since I found it.

Link removed ( by Me ) now people are aware of it.

 

[Lisa]

Weird. I'm sure that was htaccess protected a little while ago.

 

[Danielx64]

*takes a sticky beek*

 

[doubt]

Admin Extra install which among all things has brivium addons installed.

Made in 2016?
XenForo Add-ons by Brivium ™ © 2012-2016 Brivium LLC.

 

[Adam H]

Made in 2016?
XenForo Add-ons by Brivium ™ © 2012-2016 Brivium LLC.

Probably an automated date stamp to keep things current.

 

[ozzy47]

Probably an automated date stamp to keep things current.

That would be my guess, I done something like that in addons before.

 

[Adam H]

That would be my guess, I done something like that in addons before.

Fairly common practice I think, makes total sense

 

[doubt]

Probably an automated date stamp to keep things current.

In the bottom of the screen:
Forum software by XenForo™ ©2010-2014 XenForo Ltd.
Brivium updated automagically, XenForo left out?

 

[Adam H]

Automated date stamp, i.e using current year as the last year entry. Xenforo obviously doesnt ( or didnt ) do that and since its an old install in that directory Its showing the dates of which that version represents.

 

[Lisa]

I don't have server access, so it's down to The Sandman or MattW.

 

[Danielx64]

I don't have server access, so it's down to The Sandman or MattW.

Something else, may want to hide the link, I don't think that there any robots.txt file blocking access to it

 

[Adam H]

Something else, may want to hide the link, I don't think that there any robots.txt file blocking access to it

The install has noindex tag so it wont get indexed.

 

[Danielx64]

The install has noindex tag so it wont get indexed.

That's alright then

 

[Adam H]

Ive removed the link from my post anyway, just incase someone tries their luck.

 

[Digital Phoenix]

Ive removed the link from my post anyway, just incase someone tries their luck.

I think the more concerning issue is that it still has brivium mods installed.

 

[Adam H]

I think the more concerning issue is that it still has brivium mods installed.

Cant remember exactly when Adex was migrated into Taz but at a guess id have to say it was a couple of years ago ? If nothing has been updated since then there could be a host of vulnerabilities its open to brivium or no brivium ( just speculating, not 100% sure of the version but its old I know that ).

 

[Adam H]

No official explanation as to why everything was left vulnerable and easily accessible then or a thanks for making us aware instead of leaving it to rot further ? I get the feeling this has become a "sssshhh don't move, they might not see us" situation and its been brushed aside. You've got off lightly I think ......With the outrage of previous hacks and data leaks im surprised more members haven't raised concerns and asked for reasoning why this wasnt picked up when you "last tightened security" , that's a pretty fookin big lapse if you ask me..................almost as big as allowing 30 admins full permissions ( **please note 30 is an exaggeration but it adds weight to the statement so ill use it anyway )

All jokes aside, No comments what so ever from anyone in the know ? how this could possibly be left....... its yet again a neglectful act for member data, If you had been located in the UK I'm sure the ICO would have been informed by now with lessons on how to handle personal data.

Note im not trying to make a big thing of this, but I kind of did expect some kind of statement/reassurance.

 

[mysiteguy]

Not a criticism, just a suggestion for anyone reporting possible security issues in the future:

I suggest reporting possible security issues privately first, to give the party notified a chance to deal with it before exposing it to the public. Then once it is addressed, report it publicly if the party fails to report it (or fix it).​

That's how I handled it when I found SQL injection security issues in some big name paid VB plugins.

 

[Danielx64]

On a slightly different matter does anyone think that those sites were used to hack into the main current site?

Also does it have to be the owner who located in the UK? Other admins could be held accountable or not?

And who put the server on fire? Been getting gateway error for quite some time.

 

[doubt]

almost as big as allowing 30 admins full permissions

Only 29, one has left the building because of the Brivium saga.