“e107 website system” — please die in a chemical fire
Earlier today I noticed something odd in the Exim mainlog on a lug.org.uk machine, so went hunting. I found a user’s website that uses something called the “e107 website system.”
This appears to have a feature whereby an existing news item on the site can be emailed to an arbitrary email address with arbitrary extra text added by whoever sends it. Anyone can send these emails. It appears to have been used to send 46 spam emails since June 9th.
This feature is mind-numbingly stupid. I have no idea if it is a standard feature of e107, or some idiotic plugin, but whoever wrote it has not the first clue of what they are doing.
Couple this with our need to shut down another e107 site in the last few weeks due to it being filled with comment spam and bringing the server to its knees with poor SQL queries, and this fun read:
http://www.google.co.uk/search?q=%22e107+website%22+exploit+vulnerability
I cannot stress enough how much I recommend people not touch this e107 thing with a barge pole.
June 29th, 2006 at 1:11 pm
Wow that anti browser page was a real anoying thing. It suggests that *YOUR* website is unsave to visit with any other browser than FireFox.
I know 99.99% of people will just close this site and not install Firefox as suggested.
Make the entry as pleasant as possible to your site and people may even read it.
June 29th, 2006 at 1:20 pm
Yet you bothered to click through it and even leave a comment.
I do not agree with your interpretation and do not mind if 99.99% of Internet Explorer users do not bother to click through. Thank you for your comment in any case.
July 3rd, 2006 at 1:49 am
Andy,
I find it truly amazing that you would use the google search as part of your comment. If you had actualy checked those links at google and then checked with the developement team at e107.org you would have found that 99.99% of those exploits had been taken care of (some before 070 came out and we’re up to 075 now).
Further,
The option to email a news item (to an arbitrary email address) with additional text is no more stupid than this blog where followup comments can be sent (to an arbitrary email address). This too could be used to send spam. Just imagine if someone found your email address, put it in the mail box above where the comments are entered, entered something like this blog sucks then subbmitted the same thing a hundred times, you would receive 100 emails telling you this blog sucks. See my point?
July 3rd, 2006 at 8:51 am
digitalartist,
I don’t believe that the scenario you described would be possible with this blog, as all the comments need to be moderated by myself before they are posted.
Thus, someone would have to add a comment with a fake email address, and then add the spam comments too (without akismet catching them), and I would need to approve all of them, or else they would all have to be submitted by registered users of this site.
July 3rd, 2006 at 3:12 pm
Ok so it wouldn’t get to your email but by allowing unregistered postings you open yourself up to a situation similar to the comment spam you referred to. While it is true that you approve all messages before others see them, it is also true that all messages waiting for approval are housed on the server. Someone could use a bot to flood the server with posts waiting to be approved and if coupled with an ip randomizer would avoid being banned and could put such a huge load on the server that they would close down your blog. (Please remove the comment about bot flooding after you read it since I have no desire to give people ideas)
July 3rd, 2006 at 3:17 pm
You might want to check the settings. After my post above, I checked the page with a diffferent computer that has a completely different ip address and saw my message fine so it seems the messages are available for immediate viewing once posted even though you are moderating this blog.
July 3rd, 2006 at 3:22 pm
Because you are a poster that I have approved. I don’t really see that these situations are comparable, sorry.
July 10th, 2006 at 12:48 am
The mail feature can easly be removed, and if you dont know how to remove it there are alot of people at e107.org (a group of about 20 or so that are trusted users that are soly there to help people.. and are one of the best support teams in the CMS market -although my opinion is slightly biased-) Who will hlep you remove this and if you cant do it, they will do it for you in most cases.
So this point is null. If you dont like it take it off.
No website is safe and there is always somthing that someone can take advantage of.
July 10th, 2006 at 1:02 am
teamcoltra,
It isn’t my responsiblity to have to learn how to manage every single web app my users may install just to prevent security breaches and spamming of third parties. There are not enough hours in the day and if that is your best suggestion then I would only be forced to ban use of any non-vetted package.
If you want to argue that 100% of the e107 installations I have found so far have been managed by users with poor judgement who failed to keep their software up to date then that is a line of argument I would be more willing to accept.
However the email feature concerned is extremely silly and should never have even been contemplated.
July 10th, 2006 at 1:54 am
Andy,
I think you missed the point of teamcoltra’s post. The email feature you disapprove of is something that can be easily disabled. It is also an option not uncommon on the internet. Many major news sites, among others, have the very same option and have for years, though I believe some require registration to use it.
I assume (though I could be wrong) that the option to moderate comments on this type of blog is set by the person owning the blog (in this case you). If I am correct and someone doesn’t set it to moderate, does it then make it a stupid option because they can receive tons of spam due to the input of arbitrary email address coupled with arbitrary text?
No it is not your responsibility to manage every single web app your users use, but it is also not up to you to recommend people stay away from a decent app because of options you don’t like and a list of vulnerabilities found with a google search that were fixed before you made the first post of this topic.
It would be the same as someone finding an old exploit on your site that was taken care of but them using it as a reason to advise everyone avoid your services with a barge pole. Unprofessional at the very least.
July 10th, 2006 at 2:13 am
digitalartist / teamcoltra,
As far as I can see his only point was that this incredibly ill-conceived feature can be disabled if only people read the documentation, which is not very reassuring to me.
Wordpress defaults to requiring moderation. I don’t know if it is even possible to make it as silly as the e107 setup I found being used to send out spam, and I have no desire to invest time in finding out.
I also have not had the same level of grief with Wordpress as I have with e107 thus far. Nor many other types of software that my users install. e107 has proven exceptional in this regard, so I will continue to recommend that people not touch it with a barge pole.
Rather than arguing back and forth on my blog about how e107 stacks up against Wordpress, how about you people spend the time making sure there are no more “features” like this email thing which will cause administrators like me to find old unmaintained installs of your software spewing out spam. That might be more productive for you since as far as e107 goes I am a lost cause both as an advocate and a prospective user.
August 20th, 2008 at 9:24 am
I think that this little corner of the web should stop being so negative, i know we have issues with various web apps being less that awesome at times but yeah lets move on aye