Welcome to Geeklog Friday, September 25 2020 @ 03:03 pm EDT

Security

Fix your Shoutbox!

  • Sunday, September 28 2003 @ 04:45 am EDT
  • Contributed by:
  • Views: 15,095
Security

As you may have seen, someone messed up the layout of the site yesterday by posting some HTML in the shoutbox. The shoutbox code doesn't filter HTML at all which is, of course, a glaring omission.

So if you have the shoutbox installed on your site, you should fix it by adding a call to strip_tags in the following two lines:

$shout_name = COM_checkWords (strip_tags ($HTTP_POST_VARS["shout_name"]));
$shout_message = COM_checkWords (strip_tags ($HTTP_POST_VARS["shout_message"]));

The shoutbox code linked from the original announcement of the shoutbox has been fixed accordingly.

bye, Dirk

affix ownz u

  • Sunday, June 08 2003 @ 02:10 pm EDT
  • Contributed by:
  • Views: 6,907
Security Hey folks. A number of my sites got hit on Friday with 'affix ownz u' - someone was able to replace my index.php with this text. It seems this is a vulnerability in PHP, so I upgraded.

Anyway, the new PHP seems secure, but breaks geeklog. My plugins broke but I was able to fix them mostly with some quick coding. But now parts of base GL are broken. Basically anything that reads vars from the query string directly without the following GL functions :

COM_setArgNames(array('VarName1','VarName2'));
$VarName1 = COM_getArgument('VarName1');
$VarName2 = COM_getArgument('VarName2');

I found that staticpages works fine since it uses this, but the story editor does not, nor does 'article.php'. I can easily fix these myself but before I do, I wanted to know if fixes are planned. Also, what other parts of GL are affected?

thanks,
-Alan

Oops - got owned

  • Thursday, June 05 2003 @ 10:50 am EDT
  • Contributed by:
  • Views: 6,694
Security Just a note of warning - someone hacked an old site of mine that was inactive - but in a sub directory and sub domain. I had forgotten about the site - and they uploaded an image that wasn't an image - and it gave them shell access which gave them much more than control of the sub domain. Just a warning to all -this is an easy exploit - the code was minimal and any old or test sites you have laying about need to have the ability to upload pics curtailed ASAP.

Stupid stupid me. I was "owned" for about 12 hours and I'm still assessing the damage.

Page navigation