Earlier today I noticed something odd in the Exim mainlog on a lug.org.uk machine, so went hunting. I found a user’s website that uses something called the “e107 website system.”
This appears to have a feature whereby an existing news item on the site can be emailed to an arbitrary email address with arbitrary extra text added by whoever sends it. Anyone can send these emails. It appears to have been used to send 46 spam emails since June 9th.
This feature is mind-numbingly stupid. I have no idea if it is a standard feature of e107, or some idiotic plugin, but whoever wrote it has not the first clue of what they are doing.
Couple this with our need to shut down another e107 site in the last few weeks due to it being filled with comment spam and bringing the server to its knees with poor SQL queries, and this fun read:
http://www.google.co.uk/search?q=%22e107+website%22+exploit+vulnerability
I cannot stress enough how much I recommend people not touch this e107 thing with a barge pole.
Wow that anti browser page was a real anoying thing. It suggests that *YOUR* website is unsave to visit with any other browser than FireFox.
I know 99.99% of people will just close this site and not install Firefox as suggested.
Make the entry as pleasant as possible to your site and people may even read it.
Yet you bothered to click through it and even leave a comment.
I do not agree with your interpretation and do not mind if 99.99% of Internet Explorer users do not bother to click through. Thank you for your comment in any case.
Andy,
I find it truly amazing that you would use the google search as part of your comment. If you had actualy checked those links at google and then checked with the developement team at e107.org you would have found that 99.99% of those exploits had been taken care of (some before 070 came out and we’re up to 075 now).
Further,
The option to email a news item (to an arbitrary email address) with additional text is no more stupid than this blog where followup comments can be sent (to an arbitrary email address). This too could be used to send spam. Just imagine if someone found your email address, put it in the mail box above where the comments are entered, entered something like this blog sucks then subbmitted the same thing a hundred times, you would receive 100 emails telling you this blog sucks. See my point?
digitalartist,
I don’t believe that the scenario you described would be possible with this blog, as all the comments need to be moderated by myself before they are posted.
Thus, someone would have to add a comment with a fake email address, and then add the spam comments too (without akismet catching them), and I would need to approve all of them, or else they would all have to be submitted by registered users of this site.
Ok so it wouldn’t get to your email but by allowing unregistered postings you open yourself up to a situation similar to the comment spam you referred to. While it is true that you approve all messages before others see them, it is also true that all messages waiting for approval are housed on the server. Someone could use a bot to flood the server with posts waiting to be approved and if coupled with an ip randomizer would avoid being banned and could put such a huge load on the server that they would close down your blog. (Please remove the comment about bot flooding after you read it since I have no desire to give people ideas)
You might want to check the settings. After my post above, I checked the page with a diffferent computer that has a completely different ip address and saw my message fine so it seems the messages are available for immediate viewing once posted even though you are moderating this blog.
Because you are a poster that I have approved. I don’t really see that these situations are comparable, sorry.
The mail feature can easly be removed, and if you dont know how to remove it there are alot of people at e107.org (a group of about 20 or so that are trusted users that are soly there to help people.. and are one of the best support teams in the CMS market -although my opinion is slightly biased-) Who will hlep you remove this and if you cant do it, they will do it for you in most cases.
So this point is null. If you dont like it take it off.
No website is safe and there is always somthing that someone can take advantage of.
teamcoltra,
It isn’t my responsiblity to have to learn how to manage every single web app my users may install just to prevent security breaches and spamming of third parties. There are not enough hours in the day and if that is your best suggestion then I would only be forced to ban use of any non-vetted package.
If you want to argue that 100% of the e107 installations I have found so far have been managed by users with poor judgement who failed to keep their software up to date then that is a line of argument I would be more willing to accept.
However the email feature concerned is extremely silly and should never have even been contemplated.
Andy,
I think you missed the point of teamcoltra’s post. The email feature you disapprove of is something that can be easily disabled. It is also an option not uncommon on the internet. Many major news sites, among others, have the very same option and have for years, though I believe some require registration to use it.
I assume (though I could be wrong) that the option to moderate comments on this type of blog is set by the person owning the blog (in this case you). If I am correct and someone doesn’t set it to moderate, does it then make it a stupid option because they can receive tons of spam due to the input of arbitrary email address coupled with arbitrary text?
No it is not your responsibility to manage every single web app your users use, but it is also not up to you to recommend people stay away from a decent app because of options you don’t like and a list of vulnerabilities found with a google search that were fixed before you made the first post of this topic.
It would be the same as someone finding an old exploit on your site that was taken care of but them using it as a reason to advise everyone avoid your services with a barge pole. Unprofessional at the very least.
digitalartist / teamcoltra,
As far as I can see his only point was that this incredibly ill-conceived feature can be disabled if only people read the documentation, which is not very reassuring to me.
WordPress defaults to requiring moderation. I don’t know if it is even possible to make it as silly as the e107 setup I found being used to send out spam, and I have no desire to invest time in finding out.
I also have not had the same level of grief with WordPress as I have with e107 thus far. Nor many other types of software that my users install. e107 has proven exceptional in this regard, so I will continue to recommend that people not touch it with a barge pole.
Rather than arguing back and forth on my blog about how e107 stacks up against WordPress, how about you people spend the time making sure there are no more “features” like this email thing which will cause administrators like me to find old unmaintained installs of your software spewing out spam. That might be more productive for you since as far as e107 goes I am a lost cause both as an advocate and a prospective user.
I think that this little corner of the web should stop being so negative, i know we have issues with various web apps being less that awesome at times but yeah lets move on aye 🙂
It’s been a couple of years and this post may not even be allowed to appear but what the hey it’s for you andy. You may wish to relook at e107 though you probably won’t. In the last 2 years it has been considered one of the top 5 content management systems in the world. Much has changed with the software in 2 years and some features (such as cache) have been duplicated by other cms systems. An interesting point I did not make 2 years ago is that you never tried e107 but were more than willing to bad mouth it. Much like the person who won’t try a different food but still be willing to say how bad it is. The sad thing is that by not trying it but giving a bad review you show a certain immaturity that you should seek to overcome.
I had to clean up after e107 was the cause of a major spam run. At the time this was default configuration. That’s all I talked about and that was enough to put me off this software forever. I don’t see how this requires me to try this software out further. I’m not the user of the software, I’m the administrator of the server. I am very happy with my decision, based on my actual experience, to never recommend this software to anyone. See you in 2010.
I happened upon this post when looking for something completely different about e107, and it just so happened to occur on the same night I was trying to figure out a catastrophic failure for a friend of mine who uses WordPress (WP was not the cause of the failure).
I’ve never read your blog, but you seem completely biased. Your basic argument is that e107 was miss-used and you had to clean up after it, thus it is a horrible product not worth looking at… That’s along the same line as saying some programmer used PHP to make this stupid script, thus PHP is a horrible language and nobody should ever use it.
I’ve been using e107 for many years on several different websites. It is an incredibly powerful CMS, and the developers have implemented many features because they are either common, or enough users requested them. Any tool with the number of options that e107 has requires someone with a clue of what their doing to configure it well. Just because a few admins didn’t know what they were doing doesn’t make e107 a bad product. From my playing with WordPress I’ve seen several options that if I turned on would qualify as the same type of “stupidity” as what you described here. Regardless of this, it seems to me that WP is a very nice product. Just because I can hang myself with rope if given enough, doesn’t mean rope is bad, it just means I was stupid for hanging myself with it.
I completely agree with most of what digitalartist has said in these comments. You mention in one of your posts that its not your “responsiblity to have to learn how to manage every single web app my users may install just to prevent security breaches and spamming of third parties,” but if your job is to maintain the servers, their security, spamming, etc… and you’ve given users the ability to set these things up, then I hate to be the one to tell you, but that is exactly what your job is. You obviously chose to give users this feature.
I doubt this will ever make it past the review/moderation process. If you take anything from this little post of mine, it is to put the blame where it actually belongs and not to slander products when you’ve know so little about them. In the cases you’ve mentioned here, the guilty party is the admin who set it up, not the tool.
@joby, no, my basic argument is that shipping software that defaults to allowing anyone to send spam to anyone else is really, really, mind-numbingly stupid. It’s sad that I should have to explain this to anyone. You would not stand for it in any other piece of software or device.
I no longer have any of my personal sites using e107, but that’s not because it’s a bad CMS. It’s because I needed to use other things to suit my purposes. That said, I have to point out that e107 is probably the best CMS I’ve used in terms of configurability and functionality. The only thing I don’t like about e107 is the lack of modern, attractive themes. It needs some work in this area.
I run the e107 CMS system, and my site was exploited in this email bullshit. I certainly hope your spam issue wasn’t sourced to my site. My host ended up suspending my account. In lieu of this, I ended up deleting my site entirely, and rebuilding.
Again, I am using the e107 CMS system, however, I have disabled all email capabilities from non-members. Furthermore, in order to join, a user has to fill out a recaptcha form. This prevents automated signups.
Your statement about wishing that e107 would die in a chemical fire is a bit much. Perhaps you should wish that people who were too dumb (myself included, until 2 weeks ago) to prohibit email sending on their site would die.
Cheers,
Enoctis.net Admin
@Enoctis,
I realise that you’re joking about wishing that stupid people would die, but I have to stress that since “stupid” people will always exist, it is inexcusable for software like this to have such terrible default settings. I was in a similar position to your host, who ended up suspending your account. I would rather not have to do that to people. even stupid ones. I would rather that e107 died in a chemical fire.
You realize incorrectly; I truly wish stupid people would die. However, as you stated, stupid people will always exist. Reason being, if everyone were smart, then the less intelligent of them would then be labeled “stupid”.
That being said, I’ll contact e107 and see if I can get those default settings changed, albeit, I’m willing to bet I won’t be the first one to contact them regarding this issue. In the end, the e107 CMS is a great application that just needs some tweaks in certain areas.
Regardless of our actions, there will always be some hacker or programmer somewhere spending all of their time and resources trying to exploit our everyday conveniences.
Regards,
Enoctis.net Admin
Hey!
I wanted to thank you for this post. It seems you got a lot of flak for stating your opinion on this CMS but I think people who disagree should not have spent so much time protecting it if it was that good to begin with.
I got the message about it being poorly planned for new users (bad defaults) and avoided it knowing I’m inexperienced in this area(CMS).
I believe you may have saved me precious time.
Thanks. I decided to use WordPress instead which seems like a worthy setup for beginners and can be installed automatically by my web hosting provider.
Best regards,
Arthur
p.s I don’t know why people feel negative criticism on a product they approve of has to be a sign of a flaw in the reviewer. ha 🙂 Anyway it was refreshing to hear both sides and I’m glad to have read this blog.
@Andy,
There is not a software package out there for download or used on the internet that doesn’t have options that users don’t want or won’t use such as those programs that default to loading up when you turn on your computer. Are you railing against that? My guess is no. You of course have the right to tell people not to use e107 but the upside is few if any have actually listened to you.
This is my last post here as I am no longer active with e107 so you need not answer as I already know what you will say.