People displaying far too much info in messages
Posted: Mon Apr 17, 2006 6:43 pm
Hi guys,
I just want to rant for a moment about the dangers of leaving sensitive data lying around.
I don't have access to the mods forum anymore so thought I would just raise this issue in
the public forums. Not sure whether here is the most appropriate area or if the security
forum would be more suitable.
I think there are a few too many posts with path info, especially where the domain name forms part of the path:
/usr/clients/www.somedomain.com/joomla/
The combination of domain name, server paths, and software running on the server (often with version info)
are enough to give a hacker a good head start on probing a system. Posts with full configuration.php files - and
I have seen at least one with database usernames, passwords, hosts etc on full display - complete with livesite
variable - is just asking for trouble.
If we are not careful this support forum could be the single largest repository for those wishing to compromise Joomla users.
I know I am ranting a bit, and I know I am preaching to the converted, I would just like to nudge the
mods to gently remind users of the dangers. Might it even be an idea to add something to the rules
about not posting too much data, or perhaps making a sticky on the subject - if there isn't one already.
Dean
I just want to rant for a moment about the dangers of leaving sensitive data lying around.
I don't have access to the mods forum anymore so thought I would just raise this issue in
the public forums. Not sure whether here is the most appropriate area or if the security
forum would be more suitable.
I think there are a few too many posts with path info, especially where the domain name forms part of the path:
/usr/clients/www.somedomain.com/joomla/
The combination of domain name, server paths, and software running on the server (often with version info)
are enough to give a hacker a good head start on probing a system. Posts with full configuration.php files - and
I have seen at least one with database usernames, passwords, hosts etc on full display - complete with livesite
variable - is just asking for trouble.
If we are not careful this support forum could be the single largest repository for those wishing to compromise Joomla users.
I know I am ranting a bit, and I know I am preaching to the converted, I would just like to nudge the
mods to gently remind users of the dangers. Might it even be an idea to add something to the rules
about not posting too much data, or perhaps making a sticky on the subject - if there isn't one already.
Dean