The AnimeFanlistings Network Message Board

CodeGrrl PHP scripts vulnerability

Offline Mura

  • TAFL Staff Alumni
  • *
    • Posts: 0
  • Shiny things. =D
    • View Profile
    • http://fan.gekidasa.net
[quote name='Daisy' date='Nov 18 2005, 02:39 PM']Thank you so much for posting this information before anything drastic could've happened!  I would love to switch to Enthusiast but it's confusing to me for some reason and I love my Fanbase!  *hugs it*  I've replaced all my protection.php files.  Thank you again!
[post=\"116783\"]<{POST_SNAPBACK}>[/post]
[/quote]


Hmm... the CodeGrrl staff say that there are additional security flaws that they haven't fixed. So  the edited script won't necesarily be enough. Just so you know.
[color=\"#FFCC00\"]☆ [color=\"#993399\"]Mura[/color] ☆[/color] [color=\"#993399\"]

aka Boobitari Perestroika Homuncula sensei/Ebil Wonder Twin Jayna

(メ¬_¬) --> (.~_^)/☆ OTP!!



FLs | LJ | Plug: [url=\"http://fuuma.


Firefly

  • Guest
[quote name='Mura' date='Nov 18 2005, 06:40 PM'][quote name='Daisy' date='Nov 18 2005, 02:39 PM']Thank you so much for posting this information before anything drastic could've happened!  I would love to switch to Enthusiast but it's confusing to me for some reason and I love my Fanbase!  *hugs it*  I've replaced all my protection.php files.  Thank you again!
[post=\"116783\"]<{POST_SNAPBACK}>[/post]
[/quote]


Hmm... the CodeGrrl staff say that there are additional security flaws that they haven't fixed. So  the edited script won't necesarily be enough. Just so you know.
[post=\"116829\"]<{POST_SNAPBACK}>[/post]
[/quote]

Which is why I made up my own script for my two hostees.  I rather not take the risk.  =.=


Offline Annie

  • Newbie
  • *
    • Posts: 0
    • View Profile
    • http://ichigo.nu
Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin)  :kitty:
lightning.nuichigo.nuhatsukoi.org

Newest: Naruto ♥ Plugging: Anime


Offline kirisame

  • Newbie
  • *
    • Posts: 0
  • Anime, manga, CLAMP, literature
    • View Profile
    • http://www.hiiragizawa.net
[quote name='Annie' date='Nov 19 2005, 08:42 AM']Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin)  :kitty:
[post=\"116946\"]<{POST_SNAPBACK}>[/post]
[/quote]
But what if the hacker attacks the FanAdmin files instead? Is there a way to prevent that?
[color=\"#008080\"]♦ K i r i s a m e

[font=\"Georgia\"]♣♣ Hark! The call of the heavens, the earth, the [url=\"ht


Offline Syaokura

  • Newbie
  • *
    • Posts: 0
  • Web designing, graphic designing
    • View Profile
    • http://sac.moonation.org
Phew. When I heard about hackers trying to hack through Codegrrl-powered sites, I immediately edited the protection.php from all of my fanlistings.
"What? Can't shoot? You're up against a student. Or have you finally learned that only those willing to be shot can themselves shoot others?"

- Lelouch Lamperouge (Code Geass)



Ouka avatar by Kalysia!



[url=\"http://syaoku.beauti


Offline Angela

  • TAFL Staff Alumni
  • *
    • Posts: 0
  • Love, Web development, Web desig
    • View Profile
    • http://seasonalplume.net
[quote name='Annie' date='Nov 19 2005, 01:42 AM']Just thought I'd add that the developer of FanAdmin has said that it is safe for FanAdmin users to delete admin.php, login.php, invalidlogin.php, and protection.php files from their fanlistings (since you do all the admin stuff through FanAdmin)  :(
[post=\"116946\"]<{POST_SNAPBACK}>[/post]
[/quote]

One host pinpointed FanAdmin as also vulnerable -- at least according to this post from a CodeGrrl member :kitty:

xx Angela

Companies, Magazines
http://aking-mahal.net/current.php?cat=4\'>9 Current, http://aking-mahal.net/upcoming.php\'>0 Upcoming, 0 Pending



Offline Jonathan

  • TAFL Staff Alumni
  • *
    • Posts: 0
    • View Profile
[quote name='kirisame' date='Nov 19 2005, 08:51 AM']But what if the hacker attacks the FanAdmin files instead? Is there a way to prevent that?
[post=\"117022\"]<{POST_SNAPBACK}>[/post]
[/quote]
100% security is 100% Unobtanium - it's a myth, can't happen, no such thing.
That being said, once that is understood, should people live in fear every day? No. Instead, keep tabs on the person providing your code; make sure you're running the latest version. Maybe this is a good opportunity to grab a book on PHP and try to learn it, though making code bulletproof requires a lot of experience and knowledge.

As far as preventing exploits on FanAdmin, specifically, that would require an audit of the code to see what it does, how it does it, and why. A non-specific thing that you can check is to make sure everything is not world-writable, unless it is absolutely necessary for a script to function - and in that case modify the permissions on only the files and directories necessary.

[quote name='Angela' date='Nov 20 2005, 05:02 PM']One host pinpointed FanAdmin as also vulnerable -- at least according to this post from a CodeGrrl member :kitty:
[post=\"117305\"]<{POST_SNAPBACK}>[/post]
[/quote]
*shudder*
pwned. That person needs to change all her passwords and account information NOW.