Today I was asked to take a look at an existing site that is giving some problems and was given a user name and password to FTP it to have a look at how it was set up.I opened it and just to see if there was a cgi-bin above the root directory (there was none in it) I hit the up arrow in WS_FTP.
To my absolute astonishment I was then looking at a sreen full of the web folders of about 30 other sites, all of which I could open and peruse at my leisure. I did poke around a bit and with out any difficult opened two files which contained credit card information, certainly sufficient for me to have a very happy days shopping on the internet had I a mind to. I could not edit files but could enter webs, open folders, view pages and so on without any difficulty.
I have informed the people who asked me to look at it about the lack of security and told them to contact their hosts about this as a matter of urgency. However I really feel bad for the other sites.
Would you take it that it is their own look out and they should take care of security themselves or should I inform them? The people who run the server ( and designed the troublesome site) are one of the largest design/hosting companies in Ireland. I feel as though I am sitting on a time bomb.
I saw all this at 10 am - rang my clients immediately and they immediately phoned their host - who incidently told them that it was something I did and basicaly I was obviously an undesirable with whom they should not be involved. As of a few minutes ago(4.30pm) nothing has changed.
------------------
Katherine
InKK Design
LinKKs - Kilkenny's Online Magazine
-*-*-*-*-*-*-*-*-*-*
"Dogs have owners, cats have staff!"
![]("http://www.frontpagewebmaster.com/ubb/smile.gif")
