I come in Peace
Hi Ladies and Gentlemen from Space Ghetto, this is my first post here so I hope you will appreciate it.
Well, first of all I've got to say that I really love your community : I really enjoy to get my eyes and brain fuck each time I spend time on the Ghetto.
I would like the Sg admins not to be butthurted by the following plox : I come in peace
As I work in Netsec, I've got something that some of you will call bad habits : pressing compulsively Ctrl+U just to see what web fuck or shitz,......I also like to test some urls, you know admins sometimes forget things.... so shit can happen...
And the shit has happenned : not because none of the SG dirs are secured, and are accessible, that's not dangerous if the system is kept up to date, as it seems for SG, and because Drupal is a robust system....But a simple nice .htaccess dropped on the site root will avoid flaws and vertigo. That's the first point.
The second point is that there is a directory accessible to all, this directory is not in the Drupal structure and it's called ????? (don't expect me to give you that url).... In that directory there were two files : a php script to upload in the database and another file.
A fucking big .sql file called Spaceghetto_final.sql.... Apparently this file was stored on the server since June 2011. As you all know sql files contains all the site or server life and more than any all the users data, like email and passwords....
I'm a nice guy (think what you want), but I was nice enough to delete that file using the upload script stored on the server and how : just with adding .php?delete=spaceghetto_final.sql at the end of that script.
I'm so nice that I've even deleted it from my computer because owning data that are not mine is like keeping a smelly shit in my house.
But just to prove that I'm not bullshitting you here is a screencap with all the sensible data blurred.:
So, I just strongly encourage all the SG users to change their passwords because even if they are MD5 hashed they are reversible, and just think about the shitload of guys not as nice as I'm who poke your datas since June 2011 i will also encourage the SG admins to put .htaccess to lock their dirs.
Then that's all. No you can go get some oil if you want to burn me.
I came in peace and will let SG in peace.
Have a nice time and keep on being awesome.