Chandler Project Blog: Fatal error

<https://bugzilla.osafoundation.org/show_bug.cgi?id=12810> reports the bug, I thought I should echo this one to list.

On 18 May, 2009, at 03:26, Graham Perrin wrote:

>
> <https://bugzilla.osafoundation.org/show_bug.cgi?id=12810> reports  
> the bug, I
> thought I should echo this one to list.

Thanks, Graham

It looks as if all wordpress plugins got disabled somehow. I went in  
and turned on the "Include Page" plugin, and there is now no error  
page. Yay!

However:

1) I'm not sure which of the other plugins are supposed to be enabled

and

2) I noticed Jared's "OSAF/Chandler Outage Report for 2009-04-28"  
post, i.e.

http://blog.chandlerproject.org/2009/04/29/osafchandler-outage-report-for-2009-04-28/

is showing up blank. I've known that to be a problem in the past with  
mismatched tags in the source, but I think I saw this page show up  
correctly in the past.

--Grant

> View this message in context: http://n2.nabble.com/Chandler-Project-Blog%3A-Fatal-error-tp2931809p2931809.html
> Sent from the chandler-dev mailing list archive at Nabble.com.
>
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>
> Open Source Applications Foundation "chandler-dev" mailing list
> http://lists.osafoundation.org/mailman/listinfo/chandler-dev

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev

Grant Baillie wrote:

http://blog.chandlerproject.org/2009/04/29/osafchandler-outage-report-for-2009-04-28/

is showing up blank. I've known that to be a problem in the past with mismatched tags in the source, but I think I saw this page show up correctly in the past.

Thanks to Grant for the rapid response!

Certainly, that blog entry was OK in the past. I read it following Jared's post to the list.

AFAIR, I may be mistaken, that entry previously allowed comments. (Rather than comment on the blog, I decided to post to list.) Now: comments are off.

(For other entries in the same category, comments are on.)

Are comments automatically off when the blog entry appears to be blank? Or is Comments are closed a clue to some other issue?

Grant Baillie wrote:

It looks as if all wordpress plugins got disabled somehow. I went in and turned on the "Include Page" plugin, and there is now no error page. Yay!

However:

1) I'm not sure which of the other plugins are supposed to be enabled …

To me, the most obvious differences between past and present appearance are:

• name of poster is missing

• layout/theme is different

— is the theme usually elastic?

On Monday 18 May 2009 08:49:54 Grant Baillie wrote:
> 2) I noticed Jared's "OSAF/Chandler Outage Report for 2009-04-28"
> post, i.e.
>
> http://blog.chandlerproject.org/2009/04/29/osafchandler-outage-report-for-2
>009-04-28/
>
> is showing up blank.

Actually, it was spamjacked.  View source on that posting; bleah.  It shows
that our blog has been hijacked.  I have no idea how, but I've been prepping
an "update wordpress to 2.7.1" project for a couple days.

Oddly, the first step in a full wordpress update is "disable all the plugins"
but I hadn't performed that yet.  Odd coincidence.

I don't know what's up with the comments-are-off thing either.  I noticed we
had a huge round of bogus comments going back to all kinds of old posts a
couple days ago; I remember thinking "we should start turning off comments on
old posts" but I didn't do anything about that yet either.

I'm somewhat worried about the security breach; I don't know how it happened.  
The behavior looks very similar to the last big security problem with
wordpress (xmlrpc.php), where bad actors can act as another user and update
their posts.  But we hotpatched for that issue and I can't find any announced
problems in subsequent releases.

I'll take a careful look at the configuration when I do the update.

I've always considered wordpress a security risk; their track record is not
good.  Packages with lots of security holes in the past are likely to have
lots of security holes in the future.  TWiki is in the same category.

-- Jared

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev

Jared Rhine wrote:

> … showing up blank.

Actually, it was spamjacked.  View source on that posting; bleah …

I found a cached copy of a copy of the original content of that jacked post, a .webarchive is attached to <https://bugzilla.osafoundation.org/show_bug.cgi?id=12823>. HTML pasted to <http://pastebin.ca/1432873>.

Recent <http://blog.chandlerproject.org/feed/> and <http://blog.chandlerproject.org/comments/feed/> — and a broader but superficial browse, month by month, through the blog — suggest that only the one entry was jacked … but I can't be sure of that.

Maybe we should roll the database to a recent backup, is that possible?

I've always considered wordpress a security risk; their track record is not good. Packages with lots of security holes in the past are likely to have lots of security holes in the future. TWiki is in the same category.

At <http://n2.nabble.com/-tp1658556p1658556.html> I'm toying with the future notion of Plone for multi-lingual wiki content. Plone should be equally good for blogging.

On Sunday 24 May 2009 04:44:59 Graham Perrin wrote:
> I found a cached copy of a copy of the original content of that jacked
> post...

Thank you!  Awesome actually, because I was extra peeved that my post
disappeared and I couldn't find a cached copy.

I've upgraded WordPress to 2.7.1, processed the 13K spam comments that came in
while the Akismet plugin was disabled (that's the spam one), and gotten
something of a theme back in place.

What happened to us was the Magic Include Shell, a relatively dangerous attack
on Wordpress:

  http://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-
shell/

Which describes why all our plugins got disabled.

Our old theme doesn't work out of the box, so the blog isn't pretty or just
like it was, but at least it is back to being secured.

-- Jared

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev

Jared Rhine wrote:

I've upgraded WordPress to 2.7.1, processed the 13K spam comments that came in while the Akismet plugin was disabled (that's the spam one), and gotten something of a theme back in place.

… Our old theme doesn't work out of the box, so the blog isn't pretty or just like it was, but at least it is back to being secured.

You're a star, thanks!

At a glance, only two things strike me:

1. when viewing any post alone e.g. <http://blog.chandlerproject.org/2008/06/18/pulling-together-agendas-and-logging-meeting-notes-together-in-chandler/>, there is no attribution

2. when viewing any post alone, its date may be not immediately visible. (It appears at the foot of the post, true, but date is one of just a few things that I like to see at the head of a post.)

I stumbled across a few cached copies, confirming that attribution and dates previously appeared at the head of individual posts:

<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F10%2F06%2Fhow-do-you-use-the-chandler-dashboard>
<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F02%2F06%2Fosafs-next-steps>
<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2009%2F01%2F23%2Fchandler-users-discuss-things-10>
<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F07%2F29%2Fscratch-your-chandler-itch-10-community-chat-sessions>
<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F03%2F28%2Fchandler-user-survey>
<http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F05%2F30%2Fchris-janssen-and-his-team-manage-tasks-in-the-triage-list-and-on-the-calendar>

On 26 May, 2009, at 16:27, Jared Rhine wrote:

Yay: Thanks, Jared.

I also noticed there were a couple of failing cron jobs that were  
trying to update desktop.chandlerproject.org and  
cosmo.chandlerproject.org from the blog.

It turns out they were using curl to pull data out of atom feeds, and  
were now failing because those links were being redirected. I added -L  
to the curl command lines, and they now seem to be working.

--Grant


_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev

On Tuesday 26 May 2009 20:22:25 Graham Perrin wrote:
> 1. when viewing any post alone e.g.
> <http://blog.chandlerproject.org/2008/06/18/pulling-together-agendas-and-lo
>gging-meeting-notes-together-in-chandler/>, there is no attribution
>
> 2. when viewing any post alone, its date may be not immediately visible.
> (It appears at the foot of the post, true, but date is one of just a few
> things that I like to see at the head of a post.)

These two attribution issues have been fixed in the live blog now.  I used a
less-wordy version than previously.

I was going to say "that's about it; I'm going to stop looking for issues",
but just found something pretty strange; the indentation of #1 and #2 from  
the original:

http://www.diigo.com/cached?url=http%3A%2F%2Fblog.chandlerproject.org%2F2008%2F10%2F06%2Fhow-
do-you-use-the-chandler-dashboard

disappears in the current:

http://blog.chandlerproject.org/2008/10/06/how-do-you-use-the-chandler-
dashboard/

I thought this was just style sheet related, but after viewing source, it
seems the actual <ol>/<li> structure isn't there in the new one!  Weird.

No guarantees I'll find the issue though.  If anyone would like to volunteer
for shared Wordpress administrator duties, please pipe up.  Things like the
theme configuration I'm futzing with can be edited straight through the web UI
even.

-- Jared

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev

Jared Rhine wrote:

… <http://blog.chandlerproject.org/2008/10/06/how-do-you-use-the-chandler-dashboard/>

I thought this was just style sheet related, but after viewing source, it seems the actual <ol>/<li> structure isn't there in the new one!  Weird.

Weird, indeed. Mimi's <http://blog.chandlerproject.org/2008/09/11/chandler-project-next-steps/> and <http://blog.chandlerproject.org/2008/09/29/mobile-chandler/> seem unaffected.

Thanks for all the other stuff.

If anyone would like to volunteer for shared Wordpress administrator duties, please pipe up.  Things like the theme configuration I'm futzing with can be edited straight through the web UI even.