"You want me to do what?!?"

[Stoo]

Yup, that was pretty much my response today in reply to something someone emailed to me..

But first, lets reverse a little..

Okay, I'm pretty much looking after the company webserver at the moment, we'd just moved one of the other websites in the group over to our server for more central administration etc.

The previous company who wrote all the interface etc is one we've worked with for many years on and off, so we let them use remote access to do the setup etc, all this went hunky-dory, and the site went live..

Only they'd missed a couple of bits out from the administration part of the website, so they asked me to do a couple of things...

1) Buy and install a file upload system (Yeah, I know, but apparently rewriting the back end to use the standard asp.net file uploading routines was too much work as it was all customised etc..

2) install a spellchecker script...

Number 2 is where my response in the title comes in...

Okay, so I need to install the PHP interpreter for IIS, which is no big deal, and install the spellchecker scripts, fine too..

Then I read further down the email, and did a double-take:

Edit the properties of %SYSTEMROOT%\System32\cmd.exe and add the guest
internet user (the user whose name looks like IUSR_MACHINENAME) to the
users listed in the security tab. The "Read" and "Read and Execute"
check boxes should be checked for this user.

Buh?!?!

Yes, I had read that right...

So I replied and said that it wasn't going to happen due to it being A MASSIVE SECURITY HOLE, and would end up leaving our company liable if anyone exploited the hole...


I then received an apologetic reply...

But they'd used remote access and DID IT THEMSELVES ANYWAY!

As I reversed their actions, I did ponder just when the hell they were going to tell me about the big gaping hole they'd left..

Needless to say, they no longer have remote access, and their FTP access has been locked down very much tighter..

Just goes to show, even if someone has many years of experience, it doesn't stop them being utterly, utterly stupid!


Oh, and the people who used the admin section of that website didn't care about the spellchecker anyway!

[badass]

Yup, that was pretty much my response today in reply to something someone emailed to me..

But first, lets reverse a little..

Okay, I'm pretty much looking after the company webserver at the moment, we'd just moved one of the other websites in the group over to our server for more central administration etc.

The previous company who wrote all the interface etc is one we've worked with for many years on and off, so we let them use remote access to do the setup etc, all this went hunky-dory, and the site went live..

Only they'd missed a couple of bits out from the administration part of the website, so they asked me to do a couple of things...

1) Buy and install a file upload system (Yeah, I know, but apparently rewriting the back end to use the standard asp.net file uploading routines was too much work as it was all customised etc..

2) install a spellchecker script...

Number 2 is where my response in the title comes in...

Okay, so I need to install the PHP interpreter for IIS, which is no big deal, and install the spellchecker scripts, fine too..

Then I read further down the email, and did a double-take:



Buh?!?!

Yes, I had read that right...

So I replied and said that it wasn't going to happen due to it being A MASSIVE SECURITY HOLE, and would end up leaving our company liable if anyone exploited the hole...


I then received an apologetic reply...

But they'd used remote access and DID IT THEMSELVES ANYWAY!

As I reversed their actions, I did ponder just when the hell they were going to tell me about the big gaping hole they'd left..

Needless to say, they no longer have remote access, and their FTP access has been locked down very much tighter..

Just goes to show, even if someone has many years of experience, it doesn't stop them being utterly, utterly stupid!


Oh, and the people who used the admin section of that website didn't care about the spellchecker anyway!

Errrrrrm land on them like a tonne of bricks!
No one should **** with your security like that.


Absolute morons. Give them a slap!

[TheAnimus]

clue in there, anything around PHP = read the config files because its probably a gaping hole.

Used to use the langauge profusually, had a box taken over because i took 2 days to patch latest PHP... I now hate it with a passion as it encourages such bad practice

[badass]

In fact I've just thought of this some more.
I would, have been given the chance to think about it some more, have asked them to email me that request. I would then have replied to that email, ccing my manager, their manager and anyone as high up as possible in the chains of both companies asking them why they were so monumentally stupid as to:
A. Suggest that and
B. Actually do it without permision.

I'd then point out, in simple terms as to why thats such a bad idea. (so the management can understand )

[stytagm]

Edit the properties of %SYSTEMROOT%\System32\cmd.exe and add the guest
internet user (the user whose name looks like IUSR_MACHINENAME) to the
users listed in the security tab. The "Read" and "Read and Execute"
check boxes should be checked for this user.

The full magnitude of that is slowly sinking in, am I understanding this correctly?

They're asking you to allow the account representing a (presumably anonymous) website visitor, explicit execute permissions to run command line scripts?

If it was the App Pool identity account instead you could at least understand where they were coming from, but the guest account?

[Stoo]

The full magnitude of that is slowly sinking in, am I understanding this correctly?

They're asking you to allow the account representing a (presumably anonymous) website visitor, explicit execute permissions to run command line scripts?

If it was the App Pool identity account instead you could at least understand where they were coming from, but the guest account?

Yup, that's exactly what I thought!

I had to read it several times to verify that someone had *actually* typed it..

I've never liked this company, right from when I've had my first dealings with them, looked like I've been proven correct in the most vivid way I could have imagined...

*shakes head*

They actually thought I'd just do it? Then then did it anyway and didn't tell anyone? *gibbers*