Those of you who build websites know sometimes the things you attempt simply will not work. Either the technology won’t cooperate or it is designed in a way you don’t expect. Once in awhile you come across an infrastructure item that has a bug or an odd behavior. Even less often do you come across a security problem that is a result of poor engineering.
The thing that makes what I am uncovering tonight so worrisome is that the company who provides the service is bound to know it exists. It is too simple to have been missed. As such, I let the company behind E-zekiel know by email that I am publishing this blog entry exactly 48 hours after emailing them. Hopefully they will fix the problem and this will be an artifact of what can go wrong in web programming and nothing more. Otherwise, I *think* we are all free to link to any URL we want and say what we want. For those who might critique that 48 isn’t long enough, I ask that you research the company to see how long they have been running their operations with such a glaring information security problem.
At the suggestion of a friend, I looked into the E-zekiel Content Management System. Some of the churches I have helped over the years use this CMS application service provider. I had previously evaluated the platform for a talk I did at MinistryCom. My conclusion was that I could recommend it for small churches on a small budget. My friend, Nathan Smith, came to other conclusions. But this week I took another look at how the E-zekiel URL scheme works. What I found was shocking.
Within the URL on any page hosted on the E-zekiel system is a SITE ID and a PAGE ID. For example, the URL string …/details.asp?id=29646&PID=361947 would have a SITE ID of 29646 and a PAGE ID of 361947. While their SITE IDs are unique per customer, their PAGE IDs are global across all their clients. All PAGE IDs are in the same database table I would guess. This model is normally not a problem in centrally hosted applications, because they are engineered to make sure the PAGE ID gets correlated to the appropriate SITE ID. But as they implemented it, you can insert any PAGE ID of any E-zekiel customer’s page into the URL at any other E-zekiel customer site (and thus design).
Under the right circumstances, this allows any number of social engineering opportunities. For instance, someone could use automated methods to generate URLs and then promote those links elsewhere on the internet. Suddenly you could have a generic donation opportunity on thousands of pages that get indexed by search engines. Someone searches for “Example Baptist Church + Giving” and they get the donation page content of a fake non-profit for an easy bait and switch. After all, the user saw the donation opportunity on their preferred organizations website didn’t they? (As an aside, what ECFA implications would this have I wonder?)
Or, a group of covert liberals could put a political endorsement for a given Presidential candidate on every E-zekiel Church site. While it is true that the actual sites of the churches would not link directly to the endorsement or donation opportunity, there are enough known link propagation methods to make the links as popular as they need to be to get some search engine traffic to thousands of E-zekiel hosted domains. Suddenly you have churches trying to defend a political endorsement they say they never made. But the web user saw it on the churches website, didn’t they? Flickr screenshots would be all the rage. I can see it now!
The following links (hopefully they won’t work by the time you read this) are examples of the problem and DO NOT represent things that are part of Bob Buford’s ministry and life. I respect the man and am picking on his site only because I favor his design over other sites built with the E-zekiel tool and because highlighting his site might bring some attention his way from a demographic that otherwise might not know who he is.
The Ministry Leadership Development program that is not Bob’s, but is Beeson Divinity School’s.
What Bob Buford Believes (maybe/maybe not).
Bob Buford’s Giving Campaign (not really).
Bob Assigning Copyright To Someone Else (not really).
E-zekial Selling Services on Bob’s Site.
Bob Teaching Others How to use E-zekial (not really).
There are literally millions of ways in which this bug/feature could be used to make ministries look bad or confuse their message. Post some in the comments if you can think of some good ones. True, I have been a little doomsday in this write-up. Even so, for now I am changing my recommendation from “buy” to a “beware” on the E-zekiel Content Management System.
I will update this post if I learn more or when they fix the problem.
[UPDATE 01/14/07 - 9:55 pm CT]
Upon sending an email to email@example.com as well as the email of their employee responsible for bug tracking, I received the following, which I imagine is an autoresponder:
This is just a quick note to let you know E-zekiel.com has received your support request. A member of our Technical Support Team will address this issue immediately.
Barring any special circumstances with your situation, we will have you an answer today or at the very latest within 24 business hours.
If you have any additional questions or concerns or if we have not responded within 24 business hours please call us.
Technical Support is available:
Monday through Friday
8:00am to 6:00pm Central Standard Time
Toll free: 1.888.942.6607.
Thank you for choosing E-zekiel.com
PS: Be sure to check out our online Help manual at http://help.e-zekiel.com
[UPDATE 01/15/07 - 3:20 pm CT]
Followed the links in my article to check up on how E-zekiel was coming and it appears they have implemented some kind of fix. They appear to be presenting a 404 page, though it is showing up more like an iframe. So far, I have not heard back from their support team.
[UPDATE 01/15/07 - 4:15 pm CT]
Just received an email from a fellow named Todd Cotton from Axletree Media, the company behind the E-zekiel Content Management System. It addresses my proposed “misuse of an undocumented content sharing feature”. Very thoughtful and careful response I thought (see below).
Though, I seriously have questions about leaving this functionality in place for 8 years at the risk of their non-profit customers credibility… especially one that only took five minutes to “turn off”. Social engineering is not new… and Todd clearly has some context of other companies having messed up in the past. So in that regard, I am disappointed and think they should be more responsible by auditing their system periodically for feature bloat and vulnerabilities of all sorts. Even so, he did own the mistake. I recognize a humble and professional response when I get one. So, say all you want about the interface of E-zekiel or it’s lack of quality templates out of the box, I am impressed with how he handled this and I am changing my recommendation from a “beware” to a “be sure to look at all your options”.
To Todd, keep up the open dialogs with both customers and critics. You guys do a heap of good in a niche space that is not easy to run a profitable business in. There are plenty of churches using your stuff every single day and wouldn’t live without it.
Jason, I appreciate your informing us of the potential misuse of an undocumented content sharing feature in the E-zekiel content management system. When we initially launched E-zekiel, we built the system to allow customers to seamlessly publish and subscribe to content from other E-zekiel sites. Because of denominational differences among the several thousand churches we serve, we left the plumbing for content sharing in the application, but never wrote an interface for it.
Obviously, times have changed and the eight-year-old feature stub needed to be removed. We still plan to implement some form of content sharing in the future. However, in light of the social engineering problems that have plagued companies from AOL to MySpace, we will certainly take great care in engineering a safe and effective content sharing solution.
Since your email was sent at 9:30 Friday evening, we were unable to meet your 48-hour deadline. However, the content sharing feature was turned off within five minutes of receiving a copy of your email this morning.
V.P. Technology and Engineering
Axletree Media, Inc.