Mango Blog Setup Folder Security
Over the last few days I have found an alarming number of 404 errors in my coldfusion server logs. They all had one thing in common. A missing setup.cfm page. Naturally we don't want 404 error's right? In this case it's a good thing.
It is my belief that someone, or some group of people are testing the security of Mango Blog by looking for the setup directory that comes with Mango blog when you first download and setup your blog. The installation instructions state that once your blog is setup correctly, you should remove the setup folder from the admin, to prevent no-gooders from doing anything malicious to your site.
I went to the mangoblog.org site and took a look at a long list of people in the "Who uses Mango" section of the site and most everyone still had the setup directory intact. I was actually really surprised to see the carelessness of so many people. Especially by a few people that SHOULD know better than that.
What's worse is that I was able to add a new table to one unlucky site by guessing the username, password, and datasource! And it wasn't very hard! How lazy are we people!? Do we have to get hacked before we wise up? This is just plain ridiculous! I am not even a security person and was able to compromise one system in just a few minutes. Imagine what a security expert could do with all their tools and knowledge
Mango Blog owners. Remember you need to delete the setup folder after installation has been verified. It's obvious to me that people are checking for the existence of the setup.cfm so we best be on our toes.
My Solution
Here is what I am proposing as a solution. I am interested in your feedback.
The idea I had was to have the admin overview page check for the existence of the folder and if it finds the setup folder intact it could warn you that leaving the setup folder on the server is a security risk. It should then offer the admin user a chance to delete the folder. I think this is a better method as it provides the blog administrator a good chance to verify that things are working before deleting the folder. It also gives continual reminder to those that forget to delete the folder on their own.
Here is a sample design that I had. Maybe there is a better way to do things. I just thought I would get the ball rolling and see what can be done.
A plugin could easily be built for this, but I honestly feel it should be apart of the core install and not a plugin provided by an end user. That would pretty much defeat the purpose really.
Tags: Mango Blog · Opinions & Rants
8 comments so far ↓
I also find it interesting what shows up on server logs. I get TONS of generic hits for "/admin", "/install", "/mail", "/bin" and others.
I found this blog while searching for security on the Mango Blog.
What I am wondering is how do you protect yourself from malicious posters or bots that post ads and that kind of stuff.
There are several plugins available to protect against comment spam. The CFFormProtect (included with your mango blog install) is simple and effective. It works best if used with the Akismet option enabled. Also included is Comment Moderation, that automatically puts comments into a moderation status allowing you to approve them before they go live.
Additional plugins can be found on the Mango Blog website http://mangoblog.org/docs/plugins that can also work to secure your blog.
Leave a Comment