Monthly Archives: April 2008

the problem with cms packages is….

I noticed yet again on vancouver.php.net that surprise surprise, while our backs were turned organizing the OpenWeb Vancouver 2008 conference, our Drupal based site got hammered with spam, again. We have a group of working professionals experienced in Drupal, up, down, and sideways, but we dont always have the time to monitor the website as closely as we would like. We make upgrades, we review configurations, security issues, we deal with issues as best as we can, but as volunteers, we have other things to do. We cannot keep ahead of exploits as fast as the exploiters, and I wonder who ever really does.

But really, this is a problem that is endemic to cms packages. A hacker can write one script and attack all drupal sites on the world wide web. Same problem for wordpress and every other website in a box. They all have a url that someone can post to with name & value pairs. There are always lots of things to do to protect your site, but with every new upgrade and patch, there are always new exploits that might just work when applied to your site.

Without a human being to look and see, you wont know that your site has been tossed until you see it for yourself, and remains that way until it is fixed.

Randomizing not only the form name but also the field names was a very successful experiment in my case when someone had my number. The attacker cant presume the name of your fields then so easily, and then they cant attack you. Its like you become a moving target, not a static one. At the very least, they actually need to be on the page in real time in order to post something. Now other developers have told me that in fact it could be attacked with a position based form filler, say based on a xul widget or hacked firefox, but this solution, while possible by some attackers, is generally extra effort to include in the whole looping construct for the attack.

Spam networks hire out at at least $5000 an hour, I learned at a VanLug talk last year. So if an exploit takes too long to seize on to, it is not worth the time. CMS packages are uniform instances of software in terms of action urls and form and field names, so they are static things to sieze upon in the eyes of an attacker who has to provide the biggest bang for the buck. They are sitting ducks, just waiting to get attacked. If even an array key was constructed of a md5 hash at page load time, stored in a session  (oops, no sessions in Drupal, not Kosher, if you are a Drupalist), that at a minimum would be enough to be a moving target an attacker would be unable to sieze upon without actually being on the page in real time. And that is the whole problem with spammers, they never even visit your site. Never have and never will.

Why are we doing an event like The Open Web?

Here is something I posted originally on Vancouver.php.net

Some of you may have been wondering, why is a PHP group doing an event like OpenWebVancouver 2008. The reason is that we have held very successful conferences in the past and we would like to do more. As a volunteer run, community based group, we are a group of dedicated people who would like to bring in new people into our community who share our common interest in Free Open Source Software.

PHP Developers always have to be aware of so much more than just PHP. We have to be well acquainted with the whole LAMP stack and much more. This is also the case with our colleagues who code in Python or Ruby on Rails or who are designers – they have to know much more than what their discipline represents. And hosting an event that would focus only on PHP while interesting to us, would not serve the purposed of exposing ourselves to new information.

It is time we felt, for people in the different areas of Open Source to come together and be more aware of each other. Vancouver has over 20 user groups for different technologies. The number of groups is necessary for the specialization of interests, but we all share the common interest of ideas that embrace the Open Web. Our event is a call for less fragmentation and to have strength in numbers. We all distribute software using the GPL, we deploy on systems that use it, and for the most part access a common family of tools to produce our work. The products of our work are distributed on the Internet and World Wide Web, and therefore we all depend on open and unfettered access to it.

Bring your open minds. See you there.