Back to the 90s! (where things were secure)
As you might know, my blog/cms solution is a heavily outdated Joomla/Wordpress combo. I already found an XSS attack by myself. But I guess there are at least a hundred remote code executions in the wordpress components (although not directly exposed), not to speak of the ancient Joomla software. And all that is f*cking PHP code!!!11 ;)
Now, how do you run outdated and insecure PHP code?
Put simply: You don’t!
And that’s exactly what I inteded to do. But at the same time I also was not to keen to migrate all the content to a new cms/blog platform. So what could I do? Well, I just took it offline — and moved the PHP code and the database to a local box. What you see here, is a httrack-mirror of the dynamic page, together with a tiny hack for the RSS/Atom feed. I have a small script that ftps the locally generated httrack image on my website. Ahhh, no more unprotected credentials and login forms, no more sessions, no more cookies, just plain static http.
Now I’m back in the good old 90s. But at least I don’t have to worry anymore :)
(The comment-function was used rarely anyway and I got a lot of spam to filter every day. Getting rid of the dynamic functions is not to huge a loss for me, I think.)
Now that I have this rolled out, I also think, that this is a solution for a lot of other old websites. So if you’ve got one lying around with code you don’t really want to run anymore but with content you might still want, just put it through httrack. It feels a bit like rendering a vector image into a bitmap. Having as few code on the servers as possible, definitely helps reducing your attack vectors.