In the past, Deltik's products site, products.deltik.org, provided demos of the products published by Deltik from 2008 to 2011.  Some of these products have serious security or performance flaws that made them unsuitable for demoing on Deltik.

 

As a result, the old products, now collectively called the "Legacy Deltik Products", have been taken off of the demo site and published as an unsupported archive.

 

The Legacy Deltik Products can be copied to any web server running PHP 5, and they should run roughly as they did on Deltik.  Note that some paths were hard-coded and may break on your web server if you aren’t pretending to use the virtual host products.deltik.org.

 

You can find the products on the Legacy Deltik Products GitHub repo and clone them with this command: 

git clone https://github.com/Deltik/products-legacy.git

A .tar.xz archive containing only the products folder can be downloaded directly from GitHub or from Deltik.

 

Either of these commands performs the download and extraction into the current directory:

curl -L 'https://github.com/Deltik/products-legacy/raw/master/products.tar.xz' | tar -xJvf -

curl -L 'https://content.deltik.net/products/legacy/products.tar.xz' | tar -xJvf -

 

The GitHub repo contains a README.md file that explains what's included.

 

Currently, https://products.deltik.org/ just contains a static page explaining what happened to the Legacy Deltik Products.  If I choose to make something of the subdomain, I'll replace it with whatever succeeds the Legacy Deltik Products.

 

The demos ran on the same unprivileged user as the main Deltik website, which means that compromising one of the demos would allow an attacker to take control of Deltik.  I provide an example of a partial exploit in the extended version of this news post.  (I figured that it would be pointless to demonstrate a full exploit, since the demos are no longer running here.)

 

It was also possible to do some denial of service attacks and proxy some attacks through this server.  I present a high-level overview of some attack examples in the extended version of this news post.