[Expo-tech] Fixed: someone has Hacked EditThis Page and inserted spam

[Philip Sargent (Gmail)]

OK it is sorted.
localsettings.py had PUBLIC_SITE set to False.

So the server was not enforcing that people should sign in using the
"cavey:beery" password.
Now it is:
http://expo.survex.com/accounts/login/?next=/handbook/kitlist.html_edit

Hence it was open to abuse.
Wookey diagnosed how to fix this.
I have just set it to True in localsettings.py on the server and restarted
apache.

I see that it was also set to True in localsettingsserver.py  and
localsettingspotatohut.py so I think it must have been left on False by
accident thus letting the miscreant in.

So no hackage was involved: it was an open form exploited by some bot
software which just fills in any form it finds and submits them.
Edit_This_Page makes every page on the site (nearly) look like an open form
to software bots.

Philip

-----Original Message-----
From: Philip Sargent (Gmail) [mailto:philip.sargent at gmail.com] 
Sent: 24 April 2020 20:50
To: expo-tech at lists.wookware.org
Subject: someone has Hacked EditThis Page and inserted spam
Importance: High


http://expo.survex.com/handbook/charging.html

8:46:03 PM) PhilipSargent: Spam alert !
(8:46:42 PM) PhilipSargent: Someone has inserted edits into
handbook/charging.html and I committed it before I checked 
(8:47:50 PM) PhilipSargent: Presumably there is a loophole in Edit This
Page ? as all the text has been reformatted too. The first lines inserted
say
(8:47:52 PM) PhilipSargent: +By way of an introduction, my name is Sergey
and I am the founder of Creative Bear Tech, a website data scraping and
computer software business based in London, UK. We mainly deal with B2B
companies by helping them to get in touch with their customers through our
data scraping solutions. 
(8:49:05 PM) PhilipSargent: My mistake, he just deleted the entire page
and replaced it with his content
http://expo.survex.com/handbook/charging.html