Messages

1

News and Announcements / Senior Staff Change

« on: March 24, 2008, 01:57:57 PM »

Good luck out there!

2

Technical Support / Form Troubles.

« on: May 28, 2007, 01:01:45 PM »

If you can post a list of the forms you've sent in that you're wondering about, what category it was sent to, when it was sent and what email it was sent with, we'll look in to it and let you know what we find!  :unsure:

3

General Questions and Discussion / a new way to sort the fanlistings

« on: May 15, 2007, 12:47:04 PM »

It all depends on how the code is written. There are ways to reduce the amount of server resources used. Right now this message board is the largest culprit to server load, and there's not much I can do to optimize this code, so I'll do what I can do the code I can fix (i.e. the rest of the site). Thankfully our host hasn't complained about server load too much yet.  :pirate:

4

General Questions and Discussion / a new way to sort the fanlistings

« on: May 14, 2007, 04:49:58 PM »

Development of a new backend is in progress (but going very slow, shame on me  :no: ). Changes will be coming to the browse pages. Additions, such as the ones suggested above, should be easier to implement.

5

Technical Support / Board Problems

« on: March 15, 2007, 07:53:28 PM »

After investigating the database that runs IPB, we found a problem and applied a fix that should take care of this problem. "Threads Viewed" data might be missing between March 7th and today, but no posts have been removed.

If you are still experiencing the problems described above, post in this thread to let me know and I'll look into it.

6

News and Announcements / Viewed threads and auto-refresh problems fixed now.

« on: March 15, 2007, 07:52:40 PM »

Problem description: http://board.animefanlistings.org/index.php?showtopic=12784

After investigating the database that runs IPB, we found a problem and applied a fix that should take care of this problem. "Threads Viewed" data might be missing between March 7th and today, but no posts have been removed.

If you are still experiencing the problems described above, post in that thread to let me know and I'll look into it.

7

Technical Support / Board Problems

« on: March 15, 2007, 07:25:10 PM »

The two problems might be related, believe it or not. We have opened a support ticket with IPB about the problem. According to our logs it started on the 12th. We'll let you know when it's fixed. Please continue to add any other odd behavior you experience.

8

Technical Support / Board Problems

« on: March 15, 2007, 04:21:04 PM »

Can you grab a screenshot of it breaking before it refreshes? Also, are you use IE7 bychance?

9

News and Announcements / New Senior Staffer!

« on: February 24, 2007, 02:49:56 PM »

Congratulations! :rofl:

10

News and Announcements / IPB "Portal" system disabled

« on: February 23, 2007, 07:14:50 PM »

The "portal" setup our message board vendor added with recent updates has been disabled. Server resources are tight enough as it is without the added overhead this caused. Besides, this is a message board, not a social-networking site. We do apologize for the inconvenience of taking away this interesting board feature. You can still view member profiles as you did before the portal system was added.

11

News and Announcements / Senior Staff Resignation

« on: November 29, 2006, 12:45:13 PM »

Congratulations! Don't be a stranger!  :hug:

12

General Questions and Discussion / Wikipedia

« on: November 21, 2006, 12:26:28 PM »

Great article. Thanks!  

Added slight change to the introductory paragraph:

Manga from other countries are listed at The Fanlistings Network.

changed to

Comics and animation from other countries are listed at The Fanlistings Network.

in an effort to reinforce that non-Japanese comics and animation should not be described as anime and manga.

13

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 20, 2005, 08:47:21 PM »

[quote name='kirisame' date='Nov 19 2005, 08:51 AM']But what if the hacker attacks the FanAdmin files instead? Is there a way to prevent that?

[post=\"117022\"]<{POST_SNAPBACK}>[/post]

[/quote]
100% security is 100% Unobtanium - it's a myth, can't happen, no such thing.
That being said, once that is understood, should people live in fear every day? No. Instead, keep tabs on the person providing your code; make sure you're running the latest version. Maybe this is a good opportunity to grab a book on PHP and try to learn it, though making code bulletproof requires a lot of experience and knowledge.

As far as preventing exploits on FanAdmin, specifically, that would require an audit of the code to see what it does, how it does it, and why. A non-specific thing that you can check is to make sure everything is not world-writable, unless it is absolutely necessary for a script to function - and in that case modify the permissions on only the files and directories necessary.

[quote name='Angela' date='Nov 20 2005, 05:02 PM']One host pinpointed FanAdmin as also vulnerable -- at least according to this post from a CodeGrrl member :kitty:

[post=\"117305\"]<{POST_SNAPBACK}>[/post]

[/quote]
*shudder*
pwned. That person needs to change all her passwords and account information NOW.

14

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 18, 2005, 03:21:59 PM »

[quote name='Mura' date='Nov 18 2005, 11:00 AM']So basically you're basically saying it would be best to provide additional conditionals to handle files that are not there and files that are not on the server, right?

[post=\"116747\"]<{POST_SNAPBACK}>[/post]

[/quote]
The basic idea is to examine the data before you use it. In the case of the bit of code we're talking about, the proper solution would be to look at the QUERY_STRING variable, determine what file it's wanting to load, and have PHP check to see if the file exists and should be loaded here before trying to load it. Additional conditionals are also helpful, espcially for development and debugging.

15

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 18, 2005, 01:11:44 PM »

[quote name='Mura' date='Nov 16 2005, 08:25 PM']Anyway, I suppose this sort of begs the question... does anyone (glances in Johan's general direction  :kitty: ) know about security risks in the method CodeGrrl used for dynamic includes?

Code: [Select]

   <?php
    include('header.inc');
    include 'config.php'; // you can include the config file here once
    if(!$_SERVER['QUERY_STRING']) {
    ?>
    
CONTENT

    <?php
    } elseif ($_SERVER['QUERY_STRING'] == "whatever") {
    ?>

CONTENT

    <?php
    } include('footer.inc');
    ?>
Could that be used to call external documents?[/quote]
Using the $_SERVER['QUERY_STRING'] method, at first glance, appears to be fine. (PHP.net documentation of pre-defined variables, including the $_SERVER array). The important bit is what the programmer does with that information. It is up to the programmer to, for example, check the 'QUERY_STRING' variable and make sure (1) the file exists, (2) the file is in the proper context (i.e. local vs. remote, basically not something the web server should not be accessing). THAT is where 99% of all vulnerabilities come from - programmers who do not check data the program receives. Never, ever trust your users to provide the right data. 99% of them will, but there will be that 1% who will input incorrect data because (1) they made a mistake, or (2) they're trying to break your program.

Hmmm... Sasha has taken the scripts offline due to other security risks. For the moment at least.

....


And for the record (just in case), my intention isn't to attack CodeGrrl... I love the site and the tutorials. I think we all understand that sometimes things like this just happen.

[post=\"116422\"]<{POST_SNAPBACK}>[/post]

I am encouraged that they took the scripts off-line while they fix them. Though to be honest I am troubled by the statement "We are unsure at the moment where these issues lie and how to fix them[...]". I also do not intend to attack CodeGrrl. Tutorials and open source are a wonderful way for people to learn new methods, techniques, tools, especially since php.net is better as a dictionary and not very well suited to learning the language. However it is starting to appear to me (and this is all my opinion) that the programmers there haven't quite grasped the full understanding of how powerful PHP is, and why any implementation needs to be locked down tighter than a snare drum.