How I Hacked 40 Websites in 7 minutes
Georgios Konstantopoulos

Fixing Image upload, getting rid of Perl as such doesn’t solve the problem.

Allowing uploads of files without checking them would cause problems with any language.

The solution is to check the files and delete any file that isn’t valid.

That means you need an image library.

It’s also a good a idea to move images to another location, for example an S3 bucket, on S3 you don’t have any execution privileges.

It’s also a good idea to allow image processing only on a specific image service (for example a Docker container), maybe even on a separate server. For some profile pics a cheap AWS lightsail or google cloud server would do it.

Instead of running a multi website setup (classic approach), it’s probably better to use micro instances, and separate the database server from the website.

It’s possible to configure and maintain such an environment with for example Chef plus a monitoring service (they are available in all sizes and prices).

Separating an application into services running on different machines is a good idea in general, bc it allows for better scalability, better monitoring, and also better (service oriented) security.

It also helps to have a CI/CD environment in place bc you can redeploy applications faster. That means you can tear down parts of your infrastructure and rebuild them within hours. Useful if you discover a serious security problem.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.