Setting up a WebJames Server

I don’t think it will stay up, free of problems, for long.

ORLY?

http://heyrick.ddns.net/

About two years so far (maybe three, I forget), no problems.

Gets hack attempts a lot (as evidenced by the logs) but since phpmyadmin (with many types of capitalisation) doesn’t exist, that’s about as far as it gets.

It has stayed up. It has kept working. My Pi hasn’t been compromised. To do that would likely need somebody versed in how exactly WebJames works to find a weakness to exploit. That pretty much narrows it down to us lot, doesn’t it? ;-)

Small non serious server? WebJames is “okay”. Just back up your SD card routinely, but then you do that anyway, right?

About two years so far (maybe three, I forget), no problems.

Its funny as I was replying to the last post I was thinking “where’s Rick…I’m sure he runs a WebJames server..!”

Would you have any qualms about sharing the webserver files over Samba/ShareFS to another RISC OS machine on the LAN so that they could be changed?

Just back up your SD card routinely, but then you do that anyway, right?

I do every so often…and I should be backing-up the backup but haven’t gotten around to clearing out the old hard drive that is going to be my backup of backups yet…maybe one day…

It has stayed up. It has kept working. My Pi hasn’t been compromised. To do that would likely need somebody versed in how exactly WebJames works to find a weakness to exploit. That pretty much narrows it down to us lot, doesn’t it? ;-)

Google tells me there are many free HTTP server vulnerability scanners available (some web-based, some downloadable). It’d be interesting to see if those are able to turn up any issues in WebJames. If they don’t find anything, then you’re probably right, and the only people you need to worry about hacking your server are Acorn users who are willing to put in the effort to find WebJames-specific vulnerabilities.

Google tells me there are many free HTTP server vulnerability scanners available (some web-based, some downloadable).

Actually one of the first things I plan to do…more out of curiosity. I was going to start with Shodan but it doesn’t appear to be working too well. It has correctly identified the back-door to my firewall but failed to identify that I have port 22 open for SSH into a Linux server I was testing!

Will try some of the others…

ShieldsUp is a good tester for external access routes into your network. Always ensure you have changed the default password for the router and you have WAN access to the router management disabled – you probably know all this. I also routinely switch off wireless access to the router management as well.

you have WAN access to the router management disabled

I never did have access to it over the WAN and thought up until a few hours ago that nobody else did either…turns out there is a backdoor and who knows what they can do there? (its a backdoor that I don’t have access to but apparently the ISP does?)

I also routinely switch off wireless access to the router management as well.

Not sure I can do that on my firmware either.

All in all…I think its time to get a new one!

Assuming for the moment that I have a nice shiny new one with a decent firewall—would you have any qualms about sharing the RISC OS webserver files via Samba/ShareFS over the LAN?

Assuming for the moment that I have a nice shiny new one with a decent firewall—would you have any qualms about sharing the RISC OS webserver files via Samba/ShareFS over the LAN?

That should be fine. (assuming WebJames does a decent job of validating filenames, to prevent pages accessing files which are outside the web data folder)

would you have any qualms about sharing the RISC OS webserver files via Samba/ShareFS over the LAN

Over the LAN? Not a problem. The router segregates that from the outside world. I run a VNC session (also configured to only accept connections from 192.168.1.x) that I use to check on the status of DVD rips and to shut down the PC when it’s done.

I used to use Webjames for developing, but that ended once I needed the php code to send emails. I totally failed to get that to work.
It all became rather academic once I needed MySQL, as I don’t believe that’s possible with Webjames.
It would be nice to find out if email can work from Webjames though.

I’ve just tested Webjames on RO5.28, and the rPi 3B locks up, needing ctrl-break to kill “unknown”. The same version runs on RO5.23 on a rPi2b.

The version of Webjames is dated 2007. I can’t find a later one.

Is this likely to be a problem with the latest RO or with the rPi 3B?

Edit: to answer my own question – it works on rpi2B and RO528, but locks up on rpi3B with RO528.

So is there any to run Webjames on rpi 3 or 4?

I’ve just tested WebJames on RO5.28, and the rPi 3B locks up, needing ctrl-break to kill “unknown”. The same version runs on RO5.23 on a rPi2b.
The version of WebJames is dated 2007. I can’t find a later one.

I have WebJames dated October 2016. (I would have to think where I got it from).

It runs quite happily with 5.24, RC16, 5.28 and 5.29 on a Pi 2, 3 and 4.

I don’t use email on a Ras Pi, but I don’t see why it should not work the WebJames

I thought I’d found that version here Webjames – RISC OS which was updated in 2016 and links to an ARM7 compatible version. However that version is dates 2013, and still crashes on an rPi 3B.

Mine claims to be 0.48 (05/05/07) (12-Apr-2013) but it’s had the ARMv7 !RunImage applied to it. Just google for the links.

I’ve now tracked down that “hidden” version here: Riscosports. The link is just over halfway down the page (search for “webjames”). It includes updated Webjames, and standalone !PHP. It starts without crashing on rpi 3B+. That’s all the testing I’ve done so far.