A few of us developers went around today after a search on Google for "Powered by: Geeklog" and a few other strings that point us to geeklog installs, and were checking security. I must say: MANY OF YOU ARE WAY INSECURE.

I thought I'd try to help out, so to do that, I've made a new phpblock for you, getBent(), that will tell you if your site is grossly insecure. It only checks the default Admin/password combination and it sees if /admin/install/install.php is executable from the web. Both of these are bad things that could kill your site.

Below is the code you want to put in your lib-custom.php

/***
*
* Get Bent()
*
* Php function to tell you how if your site is grossly insecure
*
**/
function phpblock_getBent()
{
        global $_CONF;
        $secure = true;

        $retval = '';

        $secure_msg  = 'Could not find any gross insecurities in your site.  Do not take this ';
        $secure_msg .= 'as meaning your site is 100% secure, as no site ever is.  I can only ';
        $secure_msg .= 'check things that should be blatantly obvious';

        $insecure_msg = '';

        $file = $_CONF['path_html'] . 'admin/install/install.php';

        if ( $decperms = @fileperms($file) ) {
                $octalperms = sprintf("%o",$decperms);
                $perms = substr($octalperms,3);
                if ( $perms > 774 ) {
                        $insecure_msg .= '
We were able to access: ' . $_CONF['path_html'] .''; $insecure_msg .= ' allowing this gives a malicious user the ability to'; $insecure_msg .= ' destroy your current install and take over your site.'; $insecure_msg .= '
'; $secure = false; } } //check to see if any Admin still has 'password' as it's password. $count = DB_query("select count(*) as count from users where username like '%Admin' and passwd='" . md5('password') . "'"); $A = DB_fetchArray($count); if ( $A['count'] > 0 ) { $secure = false; $insecure_msg .= '
You still have not changed some default Admin password from "password" '; $insecure_msg .= 'this will allow people to do serious harm to your site
'; } if ($secure) { $retval = $secure_msg; } else { $retval = $insecure_msg; } $retval = wordwrap($retval,20,'
',1); return $retval; }