complich8′s journal

A conundrum …

So gotwoot is a pretty interesting site, from an administrative standpoint. I’m finding it really hard to keep things up to date, partly because of the level of access to information I’ve got, and partly because of the way the site’s set up.

Now, my work systems, I’ve got all the information and all the access. I set them up, I control how they get updated. It’s nice. But gotwoot’s a cpanel box, and cpanel’s a headache. It’s sort of its own meta-distro, built on top of whatever you install it on, and some packages are maintained by the distro, some by cpanel, and some not at all.

On top of that, the server hosts a dozen random sites, half of which are in some way dead. Of the alive ones, there’s only two that are interesting for me to interact with: www.gotwoot.net and forums.gotwoot.net.

Now, the problem I’m running into is that everything’s customized in interesting ways. The main page on gotwoot.net is powered by a heavily customized version of wordpress, but it’s built on wordpress 2.0.1 (the latest is 2.0.4). Now, everything before current is subject to a couple of very nasty things … “unspecified vulnerabilities”, a php injection vulnerability and some rather unpleasant xss work. I’d like to update to 2.0.4, but the way it’s set up it’s simply not possible to touch it without breaking the setup in nasty ways…

Behind that, I did a lot of cleanup on that a while ago, squirreling away old versions of various things that have been used in the past (so they’re not lost, but not web-accessible).

Then there’s the forums. They’re running vbulletin 3.5.4. Latest in the 3.5 line is 3.5.5, and we’re still in the upgrade period for 3.6.x. 3.6 has some really nice features (ajax reps, for example), that I think would really be nice to have, and fixes some minor xss issues (which aren’t going to compromise the system, so not a huge issue). I’d do that update myself, but I can’t, ’cause I don’t have the vbulletin registration info necessary to do so.

The software itself isn’t so bad … php 4.4.2 (built april 18, 2006 — not the most recent in the 4.4 line, but the most recent that cpanel’s update script deemed necessary to run), mysql 4.0.27 (latest 4.0 line mysql), apache 1.3.34 (ugh, should be 1.3.37). All that is apparently managed and built by cpanel, so I can’t really touch it unless the upcp script updates it. Annoying …

So, let’s review. I’m trying to keep a site secure, in the face of: known insecure platform software and known insecure webapps. … yeah, this kinda sucks :p.

In related news, Purdue’s newspaper, The Exponent, recently had their webpage defaced. Hilarity ensues…

This entry was posted on Tuesday, October 10th, 2006 at 3:58 am and is filed under Idle Musings, observational, technobabble. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.