Re: free source for bbs

From: A. Sinan Unur (1usa_at_llenroc.ude)
Date: 04/04/04 

Date: 4 Apr 2004 17:40:44 GMT

"Robin" <webmaster@infusedlight.net> wrote in
news:c4nv4g$ng1$3@reader2.nmix.net:

> Well, it hasn't been hacked again in about half a day, I know how they
> did it the first time, fixed that, and I know how they did it the
> second time because my password for the admin script was something
> easily guessable, but the last time must have been done with some sort
> of exploiter script that submitted a lot of stuff through my forms
> through http.

Get real. No one needs anything remotely that involved when they can just
go to:

http://www.infusedlight.net/design/bbs/admin.pl

which gives them the user names and passwords. Since admin.pl is not
protected, no one needs to guess anything. (At least, this was the state of
affairs when I last checked.)

No one hacked/cracked your site. It was wide open. People here have
patiently tried to tell you to learn something ... anything before you make
such stuff available to the rest of the world.

And, if someone had used the 'feature' of emailing posts to arbitrary email
addresses to launch an attack or just send random spam, you would have been
in a world of trouble.

> Can someone tell me a few lines of code I could use in
> the script - www.infusedlight.net/bbs/ (download here) that would
> prevent it from being insecure,

Learn how to program first. For example:

use strict;
use warnings;

# From lib.pl (see http://www.infusedlight.net/bbs/)
sub out_println {
    no strict;
    my (@content) = @_;
    foreach $content (@content) {
        print ($content);
    }
    print ("\n");
}

sub out_println_2 {
    print for (@_);
    print "\n";
}

my @lines = qw(one two three four five six seven eight);

print "Robin's version: \n";
out_println(@lines);

print "Modified version: \n";
out_println_2(@lines);

print "The Perl way:\n";
print @lines, "\n";
__END__

C:\Home\asu1> t.pl
Robin's version:
onetwothreefourfivesixseveneight
Modified version:
onetwothreefourfivesixseveneight
The Perl way:
onetwothreefourfivesixseveneight

The moral of the story: There is absolutely no sense in writing stuff like
that. You need to learn the basics.

> I know this is asking a lot, but I'd
> like to be able to be running a good, safe, secure message board
> system.

Buy Programming Perl (http://www.oreilly.com/catalog/pperl3/). Start with
the cover page and read every single letter. Work all the examples.

> In any event, I have a feeling that it might be really
> exploited soon now that I have a feature to mail posts to you,
> hopefully that doesn't happen. I also have a feeling that to get a
> secure script written I'll have to start over from scratch.

In a few years maybe.
 
> Password files are no longer world readable.

What does it matter that the file itself is not readable. The admin.pl
script makes the contents visible to anyone who cares to enter the URL.

> I know you're gonna say I should abandon programming, but why? There's
> no good reason for abandoning something once you've started and already
> have a backbone of knowledge for it.

Have you ever heard of the phrase "cutting your losses"?

You have zero knowledge of anything at this stage. Yes, you have wasted
some time (yours and ours) in the process of learning absolutely nothing
but that is no justification for continuing to waste everyone's time.

You have been given advice. You chose not to take it.

It is hard to ignore you because you provide much laughter at precisely the
right moment. I don't remember laughing this much in the last couple of
months.

But we are not laughing with you. We are laughing at you.

The only way you will get any respect and advice is by showing an inkling
of a glimmer of an attempt to learn. That is not too hard to do. The choice
is yours.

Sinan. 

-- 
A. Sinan Unur
1usa@llenroc.ude (reverse each component for email address)

Relevant Pages

  • Re: Loop within (InStr) Loop problem - how do I re-read file in second loop?
    ... On your first time through first time through your ODAS Sub you 'Set' ... the first parameter 'objTextFile2' which at this point is an object and not ... > to have a problem with the script not re-reading the second file. ...
    (microsoft.public.scripting.vbscript)
  • Re: [kde-linux] Starting ssh at log-in
    ... convenient as possible without losing that security. ... First, if you use password caching anyway, it is only the first time you are ... previous post that your konsole flicks on the screen and then exits. ... script to run rather than a shell. ...
    (KDE)
  • Re: Support Groups
    ... I missed this the first time I read your post. ... I understood he needed to go through a script. ... fan had failed and the script discovered it was the fan on the video card ... Go with the Small Business Group. ...
    (alt.sys.pc-clone.dell)
  • Re: The End
    ... For the first time, my life didn't erupt ... my script today, by first class post. ... the BBC's New Writing Co-coordinator tomorrow or Thursday, ... a second reading. ...
    (misc.writing)
  • Re: Weird error after a configuration change
    ... I was laughing so hard I actually got it totally wrong. ... I now see there _was_ apparently a referer and the error was ... complaining about $action. ... So what was the URL you used to access the script? ...
    (comp.lang.perl.misc)