HTML itself is a read-only markup language. There is nothing inherently dangerous about this. Freeway can use FTP to transmit site documents to the server, and that process is inherently insecure, because authentication tokens are passed in clear text. Freeway can also be configured to use SFTP (FTP tunneled through SSH – secure shell) and that is secure.
The only things you could use for hacking a server through a Freeway site would come in the way of third-party add-ons, like FormsToGo, which lets you create file upload forms, or comment scripts that don’t require moderation, or the ubiquitous Matt’s Formmail CGI script.
Now, depending on your hosting setup, this hacking can come from any number of other vectors besides your site. Most hosting providers do what’s called “shared hosting”. Hundreds or thousands of sites are hosted on one physical server, and the Apache software figures it all out transparently. If someone installed PHPBB or Wordpress or any of a hundred other popular and often-successfully-attacked scripts on their virtual server, yours could fall victim to the same attack, even though your address is nothing at all like theirs. As long as the physical server is in common, the attack can jump over the virtual walls that divide them.
First step is to try to isolate the damage. Set up a new server on a different provider (with entirely different passwords), and upload from Freeway again there. Fiddle with the DNS settings at your domain registrar to move just the Web stuff over to the new server. See if the problem travels – if the “hack” happens on the new server. I sincerely doubt that it will.
If you really want to make sure that this can’t happen again, ask your client to spend about ten times as much for hosting, and get a VPS (virtual private server) from Linode or Rackspace or Media Temple. Those are completely the opposite of “shared” hosting. Each account spins up a new virtual Linux or Unix machine for you, and nothing at all is shared between virtual hosts on the same physical hardware. And even the hardware is abstracted away – your virtual host is running on a grid of physical machines, which together act like a mainframe-class server. If one of them fails, the others carry on as if nothing happened, and a new commodity server is just plugged into the grid to repair the fault. It’s often less expensive to throw away the broken server node than to repair it.
Walter
On Sep 23, 2011, at 10:48 AM, Clark Brown wrote:
Question is, is it possible that someone could hack into their site via the Freeway code. This is what they are claiming.
freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options