CodeGrrl PHP scripts vulnerability

[Mura]

[quote name='Daisy' date='Nov 18 2005, 02:39 PM']Thank you so much for posting this information before anything drastic could've happened!  I would love to switch to Enthusiast but it's confusing to me for some reason and I love my Fanbase!  *hugs it*  I've replaced all my protection.php files.  Thank you again!

[post=\"116783\"]<{POST_SNAPBACK}>[/post]

[/quote]


Hmm... the CodeGrrl staff say that there are additional security flaws that they haven't fixed. So  the edited script won't necesarily be enough. Just so you know.

[Firefly]

[quote name='Mura' date='Nov 18 2005, 06:40 PM'][quote name='Daisy' date='Nov 18 2005, 02:39 PM']Thank you so much for posting this information before anything drastic could've happened!  I would love to switch to Enthusiast but it's confusing to me for some reason and I love my Fanbase!  *hugs it*  I've replaced all my protection.php files.  Thank you again!

[post=\"116783\"]<{POST_SNAPBACK}>[/post]

[/quote]


Hmm... the CodeGrrl staff say that there are additional security flaws that they haven't fixed. So  the edited script won't necesarily be enough. Just so you know.

[post=\"116829\"]<{POST_SNAPBACK}>[/post]

[/quote]

Which is why I made up my own script for my two hostees.  I rather not take the risk.  =.=

[Annie]

Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin)  :kitty:

[kirisame]

[quote name='Annie' date='Nov 19 2005, 08:42 AM']Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin)  :kitty:

[post=\"116946\"]<{POST_SNAPBACK}>[/post]

[/quote]
But what if the hacker attacks the FanAdmin files instead? Is there a way to prevent that?

[Syaokura]

Phew. When I heard about hackers trying to hack through Codegrrl-powered sites, I immediately edited the protection.php from all of my fanlistings.

[Angela]

[quote name='Annie' date='Nov 19 2005, 01:42 AM']Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin) 

[post=\"116946\"]<{POST_SNAPBACK}>[/post]

[/quote]

One host pinpointed FanAdmin as also vulnerable -- at least according to this post from a CodeGrrl member :kitty:

[Jonathan]

[quote name='kirisame' date='Nov 19 2005, 08:51 AM']But what if the hacker attacks the FanAdmin files instead? Is there a way to prevent that?

[post=\"117022\"]<{POST_SNAPBACK}>[/post]

[/quote]
100% security is 100% Unobtanium - it's a myth, can't happen, no such thing.
That being said, once that is understood, should people live in fear every day? No. Instead, keep tabs on the person providing your code; make sure you're running the latest version. Maybe this is a good opportunity to grab a book on PHP and try to learn it, though making code bulletproof requires a lot of experience and knowledge.

As far as preventing exploits on FanAdmin, specifically, that would require an audit of the code to see what it does, how it does it, and why. A non-specific thing that you can check is to make sure everything is not world-writable, unless it is absolutely necessary for a script to function - and in that case modify the permissions on only the files and directories necessary.

[quote name='Angela' date='Nov 20 2005, 05:02 PM']One host pinpointed FanAdmin as also vulnerable -- at least according to this post from a CodeGrrl member :kitty:

[post=\"117305\"]<{POST_SNAPBACK}>[/post]

[/quote]
*shudder*
pwned. That person needs to change all her passwords and account information NOW.