Tuesday, November 10, 2009

My First Security Hole

 
 
For those of you that use Drupal, you'll understand what this search result means.  For those that don't, this means that I had a page on the Orpheus.org site that ANYONE IN THE WORLD could edit.  Ooops! 
 
Luckily, the person that found the hole (likely discovered through a Google search much like the one above) was very subtle with their hack.  They took the logo image from my welcome page (http://www.orpheus.org/node/1) and linked it to a porn site.  I only discovered the hack just today when I went to resize the image and I realized that it had a link attached to it.
 
"Hmmmm...  I don't remember linking that image..." 
 
*click* 
 
"HEY-O!"
 
Fortunately, or unfortunately, I was at work at the time of the click and Websense protected my innocent eyes from anything naughty.  But now I'm wondering if I'll get called into HR tomorrow for inadvertently trying to look at "Filtered Websense Category: SEX" while at work.  Or will I get called into my bosses office for taking the 3 minutes to make a minor edit to a non-profit organization website while at work?  Only time will tell.
 
To all those patrons that might have clicked on that link while it was live, I say: "Orpheus does not condone hacking websites."
 
 

No comments: