So my s9y blog got defected, by a person called FD, who ever that is … Luckly that person(s) didn’t touch my database so I thank him/her/them for that, but on that note, why can’t people just use emails when this kind of things happen?! Why do they always have to show of what they did and replace some stuff ?!?!
In this case they only moved index.php to index.phps and created a index.html with a little html, nothing major, but that got me worried and wondered how they did that because I can’t remember a s9y defect doing that :/ If anyone knows of any then please tell me and a link to the security anouncement would be nice also :-)
Anyway I was running a alpha version from the CVS of s9y so this might be excepted but hell what strikes me is that if you you to the admin page I got promted by “Powered by Serendipity 0.8-alpha12 and PHP 4.3.11” which is kinda silly, people should _not_ be able to know the exact version I’m running!!!! This is a security issue! Now I see people lining up trying to tell me that I should have renamed my default serendipity_admin.php file and that I should even rename everything to .foo to cover up that I’m using PHP, but I still will think that software shouldn’t show off exact version number to the public and not even a version number at all.
Now just to be clear, I can’t be sure this was s9y Smarty or any other bundled packages problem tho I’m pretty sure it’s s9y and this is a thing that will push me more near to leave s9y and switch over to jaws for my blogging needs :( Picking of the usage of Smarty was one thing, a thing I did not like so much, but the showing of number is kinda too much in security respect :/
I have update my s9y version and will be running it for now, at least until jaws 0.6 comes out and I do hope that s9y will not do any tricks to me until then, in short, I’m not happy! s9y dev team, please fix this! ;) I probably will report this if I see no actions on this matter soon enough, just have too much to do at the moment, even to deal with this petty defect I encountered, so having to do this and make this blog entry has slowed me somewhat down ;/ I could have been using it to do the new headers for all the Validate packages! *chough* *looks the other way*
Helgi Þormar Þorbjörnsson 