Association for Community Design membership management database launches!

Association for Community Design logo April marked the launch of the new membership management software and website for the Association for Community Design.  ACD coordinates architects and other design professionals working to use their tools to better serve the communities in which they live and work.

ACD had been using Wild Apricot for membership management, but struggled with rising monthly costs and limits on the number of contacts in their database.

Using Backdrop CMS and CiviCRM, ACD now has a membership management tool that does everything their old one did and more, with no limitations on their number of users or contacts.

To provide ongoing support for ACD, Megaphone Tech ported the Drupal Nagios module to Backdrop CMS.  This allows us to monitor the site for issues using established monitoring tools.

Monitoring against the Charles Bourasseau security exploit with Icinga2

Have you received this email?


My name is Charles Bourasseau, and I'm an independent IT security expert. I
 noticed a security issue on your website

I was able to access a lot of files that contain sensitive data.
 I attached a screenshot of the files I found to this email.

I am sorry to be the bearer of bad news, and I would be happy to share more
 information immediately, so that your team may fix this, can you please put
 me in touch with the right person to speak to about this?

For complete transparency, I'd like to share with you that my work is based
 on bug bounty programs and financial rewards in exchange for security

This email is personal and in no way related to any of my employers.

I'm on standby to help you resolve this as quick as possible, I look
 forward to hearing from you.

Best Regards,
 Charles Bourasseau

It’s more than a bit shady – and my colleague Mathieu Lutfy did a great write-up of the issue on his blog.

If you’re using Icinga2, here’s an easy way to see if you have a git repository in your website’s root exposed.  Add this service check:

# If this returns HTTP 200, you have a problem. You want HTTP 4xx.
apply Service "Exposed Git: " for (http_vhost => config in host.vars.http_vhosts) {
 import "generic-service"

check_command = "http"
 vars.http_vhost = config.http_vhost
 vars.http_ssl = config.http_ssl
 vars.http_uri = "/.git/config"
 vars.http_expect = "HTTP/1.1 4"

This presumes your hosts define multiple vhosts per host in a format like:

 vars.http_vhosts[""] = { 
 http_uri = "/" 
 http_ssl = true 
 http_vhost = "" 
 http_expect = "HTTP/1.1 200 OK" 
 cms = "wordpress"