Well, I was going to wait a bit until I had finished the remaining sections of the castle before releasing the code, but this evening someone from PerlMonks paid a little visit and ran some sort of exploit on the site, damaging several posts and generally being a tosspot.
Anyway, so I've patched the main engine in a way I'm hoping has put a stop to such attacks, but as I'm only an ameture with a bright idea (aXML) and no expert on security and exploitation, I've decided to opensource the code right now.
The hacker goaded me that I'm keeping the code secret because if it was in the open then I would be over-run with people hacking the site. Clearly this miscreant thinks that security through obscurity is something I think is a good idea, or some stupid thing like that... well whatever...
So yeh, here it is, if you can see how he's doing it and you know how to stop him then please let me know. Or if there are any other security holes that I haven't thought of as well.
File 1 :etcperl.tar.gzTo get it running on your box you will need Task::Plack installed.
Step 1 : unzip etcperl.tar.gz into your /etc/perl directory
Step 2 : unzip www.tar.gz into your /var/www directory
Step 3 : import the sql file
Step 4 : edit /var/www/perlnights.com/Conf.aXML and add your DSN /username/password info for the database
Step 5 : run plackup from the /var/www folder with the command :
plackup -s Starman -r action.psgi -R /etc/perl,/var/www -p 80 -D
That should be it. If you can spot the security hole and let me know I'd appreciate it, bearing in mind I just updated it with a patch I think might be the hole he was using but I am not certain about it.
In reply to PerlNights Beta Code Release by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |