back to article Hackintosh maker leaves web doors unlocked

Add Psystar to the growing list of companies that have have allowed sophomoric mistakes to jeopardize the security of their websites in recent days. It turns out the unauthorized maker of Mac clones has been broadcasting sensitive information about the configuration of the MySQL database running its website to anyone who knows …

COMMENTS

This topic is closed for new posts.
  1. null
    Coat

    Newsworthy?

    This is hardly newsworthy. This information is pretty low risk. It just reveals a few paths and function calls. A lot of the time these kinds of error pages will at least reveal a user name, which is a good deal more useful to a hacker than just a path. That doesn't seem to be the case here. A quick google will reveal about 5 pages like this that have been cached.

    Ah yes, my coat....

  2. null
    Coat

    Newsworthy?

    Also, I've got to add that this statement is pretty stupid:

    "The discovery exposes the dark side to a free and open source software movement that often allows webmasters to deploy extremely powerful packages without the guidance of support people to make sure best practices are being followed."

    Most web applications are open source by their very nature because they're written in interpreted scripting languages. Virtually all of them, free or not, require the webmaster to edit the configuration files. Contrary to popular belief, us webmasters are mere mortals. We make mistakes.

    "Next up, obscuresite.com/obscurepath/obscurescript.asp?obfuscatedparameters gives an ADO Error 265805 message. News at 11."

  3. David Eddleman

    This is what companies get

    ...for using publically-available CMSes (like Magento, featured). When you do this, you're vulnerable to their bugs. Not a good deal for a company that does ecommerce.

  4. J
    Gates Horns

    Being sarcastic?

    "The discovery exposes the dark side to a free and open source software movement that often allows webmasters to deploy extremely powerful packages without the guidance of support people to make sure best practices are being followed. Yes, the availability of free software and configuration files allows webmasters to build their sites quickly, but with all the easy cutting and pasting, sometimes security becomes an afterthought."

    Were you being sarcastic? I assume so. Because, you know, all those paying "support people to make sure best practices are being followed" (and using proprietary software to boot) are quite invulnerable to attack and always have security as their top priority. No?

  5. Anonymous Coward
    Coat

    @David Eddleman

    When you use anything, you are vulnerable to its bugs. duh....

    eg windoze. Except if u use windoze, your vulnerable to alot more in terms of security :)

    not sure what you mean really, are you just saying magento is bad, or are you saying that its better to have a cms built for your specific needs in regards to a specific web app?

    mines the one with the penguin on it....

  6. Henry Wertz Gold badge

    I don't think it exposes anything

    "The discovery exposes the dark side to a free and open source software movement that often allows webmasters to deploy extremely powerful packages without the guidance of support people to make sure best practices are being followed."

    It does no such thing. It's just as easy for someone to buy one or more commercial packages (Exchange, IIS, SQL Server, Oracle, plenty of commercial Java-on-the-server rigs, etc.) and install them without the guidance of support people to make sure best practices are being followed.

  7. Jodo Kast

    Did my config file show?

    Any error that comes back should say the same thing.

    "Unauthorized Access."

  8. raving angry loony

    fault?

    ref: "The discovery exposes the dark side to a free and open source software movement"

    You're kidding, right?

    I hope like fuck the author was being sarcastic or otherwise trying to be humorous, because if not he comes off as quite the shill for the proprietary crowd. I hate to be the one to inform the author of this, but proprietary packages are also prone to being used without the guidance of those most knowledgeable. Usually because the budget was spent on the package, not on the necessary training or support. Perhaps if the author had any real world experience in the field, or perhaps bothered to do his research, he would have discovered this. Or perhaps he does and he did, in which case there's really no excuse for such a statement.

    Instead of blaming open source, I suggest the author directing future fault finding statements at the real cause of the problem: management that refuses to allow those implementing solutions the time or funds to get properly trained in the technologies they are using, be they proprietary or open source.

    If the statement was, in fact, meant to be humorous, please excuse my critical humour failure. After 6 days spent fixing the fuckups of some untrained scapegoat who was using an expensive proprietary package, all because his management refused to spend 1% of the package cost (and about 10% of my fee) on appropriate training, such inaccurate and outright slanderous statements really get my dander up.

  9. David Wilkinson

    I said this before ...

    You want IT people to support a new system ... hire a consultant to help set it up and train the IT staff ... lighten their loads for awhile so they have time to read the manuals and learn the new system.

    In the long run you will have happier IT staff and more stable systems.

  10. Anonymous Coward
    Thumb Down

    As if non-free, non open-source software was ever misconfigured.

    "The discovery exposes the dark side to a free and open source software movement that often allows webmasters to deploy extremely powerful packages without the guidance of support people to make sure best practices are being followed. Yes, the availability of free software and configuration files allows webmasters to build their sites quickly, but with all the easy cutting and pasting, sometimes security becomes an afterthought."

  11. Anonymous Coward
    Anonymous Coward

    Are those default directories?

    I'm no hacker, but is that actually "sensitive" information? They look like default directories, in which case anyone who's ever installed that(or similar) CMS knows they're there. Kinda like saying "I know what directory you've probably installed windows to" as being "sensitive" information. Sure you can install it somewhere else, but I hope those CMS's have been hardened from doing anything with that information.

  12. Anonymous Coward
    Anonymous Coward

    Bitdefender is securing partner websites

    I read on some sites that bitdefender has secured some of the partner pages and tests all of them for vulnerabilities. bitdefender partners use their own cms, not he bitdefender one...

  13. Anonymous Coward
    Pirate

    Open-source, lousy documentation

    "The discovery exposes the dark side to a free and open source software movement that often allows webmasters to deploy extremely powerful packages without the guidance of support people to make sure best practices are being followed."

    MIght help if the open-source people would get their shit together and start writing some actual human-understandable, well-written, THOROUGH MANUALS that NORMAL PEOPLE CAN UNDERSTAND!

    Maybe the normal people just aren't elite enough to use/understand open-source. Can't expect much from dummies after all. Must be it.

This topic is closed for new posts.

Other stories you might like