Eat My Business

A Storm in a Tea Cup - osTicket.com

My trusty sales colleague had zoomed off to America leaving her parting words still spinning in my head. She wanted to be able to pick up and deal with her emails from wherever she was in the World and hated having to return from her holidays to respond to the awaiting messages with apologies for not responding sooner. I agreed, its a simple thing to set up and it was about time we sorted out our mess of a communications system.

After a few quick searches on Google I arrived at the osTicket website and had a herd of Mozilla windows tucked on my toolbar offering a plethora of, similar, free scripts to choose from.

When it comes to installing a 3rd party script on my server I am on high alert.

My paranoia increases and my mind is racing with doom scenarios stemming from the security risks of placing someone else’s code amongst my own. I decided to browse the site’s forum to get a picture of the level of support offered by the user community. It was a busy forum. Chock-a-block. I spent a good half hour, or so, following the threads of the user’s questions as they were helpfully answered by the keen contributors and moderators. My confidence in the software was growing.

Exploiticker

Being a paranoid freak, I decided to check the “security issues” threads and watched a “storm in a tea-cup” unfold as a major bug was announced, discussed and fixed. It had allowed a remote user to upload and execute malicious code on the host server and some pesky cyberpunk’s had already been having fun exploiting it. They left the victims’ website stamped with the word “O . W . N . E . D” in their wake.

I picked up a few keywords from the thread and did a nosy search on Google to see if there was anyone out there still suffering from the exploit. Sure enough, a few websites remained with the black hat’s badge of honour emblazoned on their pages. Its at times like these when you realise the worth of Secunia when you are considering popping 3rd party code onto your host machine.

Although it was a major security flaw in the ticketing software, I was not put off by the alert. In fact I was reassured by the developer’s openness about the bug and the speed at which it was fixed. I was now convinced that the software was “the one for me”, so I meandered over to the “downloads page” only to be presented with a dud:

2.0 Beta coming soon!
1.X.X Discontinued No downloads”

Aaaaargh! After all that time and investigation. No exciting offerings to unwrap and stick on my box. Santa had really let me down this time.

eTicket to the Rescue

All was not lost. The project had been picked up by HM2K. Someone who I had become familiar with as one of the keener characters on the osTicket forum. Fortunately, he had gallantly rescued osTicket and forked it into the shiny new eTicket.

Well done osTicket, although it was a bit of a pain having to wade through the forum to a dead-end, I still respect the hours and effort that must have gone into writing and making the code available as an Open Source project. Big ups to the HM2K for making it live again. Some dayI hope to use it for my site. But I think I’ll keep it in quarantined on a separate host ’til I have picked through it a fine toothcomb. ;o)

The Moral of the Story

This blog is primarily maintained as a personal collection of “note-to-self” snippets for me to return to whenever my brain has so kindly dumped my personal copies into the recycle bin. Its public ‘cos I think others may be interested too. Feel free to comment and add to the following…

List of things to note when considering 3rd party scripts for my site:

1. A pretty project website does not make a good project
2. Check that the downloads page stills allows downloads before going further
3. Check the “Requirements” section to ensure that you have the correct flavours and versions of Operating System/Server Software/Server-Side Scripting Modules and Database
4. Ensure there is an active community supporting and using the scripts
5. Check the dates of the most recent community forum entries
6. Check the security issues surrounding the scripts on the project forum and at Secunia. Almost all big software projects have bugs and security flaws, but watch out for those that are not fixing them promptly.
7. NEVER PUT 3rd PARTY SOFTWARE ON YOUR MAIN MACHINE UNTIL YOU HAVE EXPLORED ITS VULNERABILITIES AND THOROUGHLY UNDERSTOOD WHAT THE CODE ACTUALLY DOES.
8. Sign up to the project’s mailing list.
9. At least once a week check the community forum and other 3rd party security sites for new vulnerabilities.

Feel free to comment and add more, below. P.S. Thanks in advance to those robots who post comment spam such as “I really like my site” - its a real honour. ;o)

This entry was posted on Thursday, April 12th, 2007 at 3:41 am and is filed under Open Source, ticketing software, PHP scripts, Customer Support, 3rd party software, security websites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.