[SAC] osgeo.org problems

Martin Spott Martin.Spott at mgras.net
Thu Jun 4 15:07:19 PDT 2015 

Hi Jorge,

On Thu, Jun 04, 2015 at 02:50:09PM +0200, Jorge Sanz wrote:

> Jeff, Alex, I was going to send this to SAC but I'm not sure to make
> this public, you'll better know what to do with this information,
> maybe it's nothing but I'm a little bit alarmed, yes. At this time I
> can only access the website as a logged user and only to admin pages,
> normal node pages have the redirect loop problem. I tried this on
> Chrome, Firefox and Safari.

Note that I don't distrust your expertise, but unfortunately this is
difficult to reproduce.  Maybe we need to compile a list of browsers
and platforms in order to find out which ones are ok and which ones
don't. Let me have a simple start:

***** worksforme (HTTP and HTTPS, anonymous and logged in) *****
Firefox 38 on FreeBSD 10
Firefox 31 on Mac OS X 10.10
Safari 8 on Mac OS X 10.10


***** failed to connect *****
<add yours>


Are you sure you checked *after* Tue, 2 Jun 2015 ?

> I've just removed a bunch o pages from the website. They had php code
> tags with non sense code to me and were created by the admin user
> along with a content type (see screenshot).
> 
> I've disabled the PHP input format and have no idea if this is related
> with the redirects loop event but certainly I'm worried.
> 
> Has anyone created this content type and entries?

No idea, but I'm aware that the main web site is in bad state: We're
using Drupal and PHP versions which are known to be unsafe.  We can't
update PHP because the site is using custom PHP code for the service
providers inventory which fails on modern PHP versions and, on the
other hand, we can't update Drupal because it would require a modern
PHP version.

Thus, by upgrading PHP we'll break the service providers, by updating
Drupal we'll break most of the site.  Updating PHP *and* Drupal (which
would be essential from a security point of view) is guaranteed to
break everything  :-)
As far as I understand the most advisable approach to escape this lock
is to find a maintainer for the service providers PHP code.

Best regards,
	Martin.
-- 
 Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

More information about the Sac mailing list