Opened 5 months ago

Last modified 4 months ago

#13635 assigned Bug/Something is broken

security vulnerabilities in your site

Reported by: https://id.mayfirst.org/jaimev Owned by: https://id.mayfirst.org/jaimev
Priority: High Component: Tech
Keywords: Cc: https://id.mayfirst.org/bdsmovementsupportrequest, https://id.mayfirst.org/michaeldeas, pacbi.coord@…, af.manager@…
Sensitive: no

Description

The bdsmovement.net site has several cms installs embedded within it.

The first I discovered while trying to detect drupal sites that have not applied the latest security patches. In addition to your main drupal install in bdsmovement.net/web/ you have another drupal installation within the following directory that has not been updated.

bdsmovement.net/web/v2/cms/sites/

I also discovered that each of the following directories contains a very outdated wordpress installation. These are all a security risk.

bdsmovement.net/web/v2/
bdsmovement.net/web/v3/
bdsmovement.net/web/V1/

Additionally each of the following directories contian partial wordpress installs or at least a configuration file with database credentials. These are also a security risk.

bdsmovement.net/web/v3/wp-content/themes/BDSV2/wp-config.php
bdsmovement.net/web/V1/wp-content/themes/BDSV2/wp-config.php
bdsmovement.net/web/V1/wp-content/wp-content/themes/BDSV2/wp-config.php
bdsmovement.net/web/V1/en/en/wp-config.php
bdsmovement.net/web/ar-old/wp-config.php

Those are just the cms installs I was able to identify easily. There may be other systems setup with the same web directory.

Aside from being outdated there is an inherent risk in running multiple cms installs embedded within the same web directory this way. If any one of them are compromised they can potentially begin overwriting files of the others such that any old wordpress or drupal install could potentially jeopardize your current main site. Having your site behind an anti DDOS caching service like Deflect will not defend against this kind of attack.

If these old sites are unnecessary then these old directories should be removed from your main web directory. If the old sites are necessary for archival purposes then each should be separated into its own distinct hosting order. You can use a complex .htaccess file to redirect urls to old content if necessary. Given the number of cms installs involved here this will likely be a complicated process and you may want to enlist the help of an experienced web developer.

I would consider resolving the above as a high priority. I've set this ticket to sensitive so you will be unable to access the ticket directly unless it is assigned to you. Please e-mail us at support@…

Change History (2)

comment:1 Changed 5 months ago by https://id.mayfirst.org/jaimev

  • Cc pacbi.coord@… af.manager@… added
  • Sensitive unset

Hi we haven't received any feedback from anyone from bdsmovement.net regarding this ticket. Can you confirm you've received this?

comment:2 Changed 4 months ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

Hey let us know if you'd like to jump in and help out wiht this. I think we could at least start by cleaning up the cms installs that don't appear to be used at all if you are ok with that.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.