The Greymatter script, while excellent in almost every aspect (A tip of the Farlopsian hat to Mr. Grey!), needs a little help so that, after installation, it runs in a secure fashion. For example, many of the forms it uses send the author’s username and password as unencrypted text between client and server. Actually this is problem that many perl server scripts have, and if you don’t take precautions, you’re one packet sniff or hack away from getting your script and maybe the rest of your server, owned.
Anyway, I imagine a lot of the savvy Web builders knew this upon installation and thus took cautionary measures. However there might be some inexperienced users out there who’ve just installed Greymatter and may be unaware of how to stop the hack Dangerous Monkey publicized.
Pretty simple to state:
- Make certain that the directory Greymatter generates pages to forbids file structure browsing to unauthorized users. Don’t do this in other words. This can be done via .htaccess or by putting an default page in place.
Don’t use the IE-based bookmarklets Greymatter offers, at all. And erase any files labeled gmrightclick[some number].reg in the journal directory to prevent dictionary attacks.[Recent addition: Thanks to Noah (see below)!] I was informed that if everyone uses the “Clear and Exit” button on the bookmarklets page in Greymatter, it will automatically erase all registry files (files of the form gmrightclick[some number].reg.) in the journal directory. In other words, I spoke before I had all the facts. Using the bookmarklets page correctly will prevent the prevent this hack from occuring.
To secure Greymatter, or any server-side script in general:
- Make certain all scripts are installed in directories that forbid file structure browsing to unauthorized users.
- Tweak scripts and forms to use SSL for any password, username, credit card numbers, SSN or other information you don’t want packet sniffing to see. Unfortunately not everyone will be running their site on a server which allows users to use SSL. If not, well, I guess you’ll have to change your password frequently.
- Make certain that any script passwords and usernames don’t correspond to root or system usernames and passwords.
Just to spread the word here =) – what causes this is leaving the Add Bookmarklets screen without clicking the “Clear And Exit” button as intended – that’s why it’s the only button on that screen. If you really want to make sure, going back and clicking “Clear And Exit” will delete any stray *.reg files in the entries directory, and if you did this the first time around anyway then there’s nothing to worry about.
Wow! I really appreciate you stopping by and setting this straight for me Noah! Thanks!
Oh, and speaking of contributing to open-source, I promised folks on the Greymatter support board, that I’d deliver a minor little JavaScript tweak for the “Add a New Entry” form. This pormise is many months overdue, and I believe Domesticat mailed me to ask about it. It’s time I delivered.