If by now you aren't aware of the serious vulnerabilities that exist within CodeGrrl.com's most popular scripts then I would recommend that you educate yourself as a matter of urgency.
As a result of the above vulnerability, I have recently discovered that certain people have been telling others to delete the affected file, protection.php, to avoid being hacked.
DO NOT DO THIS.
Deleting protection.php takes away the admin panel's password protection and you will be leaving your scripts wide open to much more than hacking.
At first I thought it was just a misinformed user telling others what they thought was best - I was wrong. Today I was alerted to the fact that it is in fact Surpass Hosting that is spreading this very seriously incorrect advice.
Please spread the word about this. Deleting protection.php is about as secure as leaving it unpatched on the server. You WILL be hacked if you leave it unpatched, and you will also be hacked if you delete it. If you've deleted protection.php, put it back as soon as possible and tell anyone else who may have deleted it to do the same.
If you are at all worried about running PHPFanBase or any other affected CodeGrrl.com script and have decided against keeping said scripts, you need to delete ALL the files associated with the scripts, not just protection.php.
Oh, and Surpass have apparently banned my script, PHPAskIt, because they believed the recent security vulnerability hoax that stated that my script could be hacked like the rest of the CG scripts. It CAN'T. It is not based on PHPFanBase like the vulnerable CodeGrrl scripts are, and can NOT be hacked through protection.php (there is no such file anyway) or through any similar method in other files.
It has been brought to my attention that there is a serious security vulnerability within all versions of PHPAskIt, which states that the conversion scripts for Wak's Ask&Answer and the classic Ask&Answer can be hacked through the directory variables.
The security vulnerability is a hoax. The import files CANNOT be hacked through the $qadir and $dir variables even with register_globals on.
I find it such a shame that the person who discovered this has gone round telling everyone who will listen that my script's insecure (and every major security site there is) but 1) won't inform me (I found out through a Google search) and 2) makes things up. I've contacted them several times but each time the mail has bounced back. *Rolls eyes* How mature.
Regarding these scripts and ONLY THESE SCRIPTS:
FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes
There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read below for more details on what you can do.
This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.
Spread the word!
Edit: Ok, so all affected scripts have been removed from CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.
If you're using ANY of the scripts mentioned at the top of this post, do this immediately:
-
Open up protection.php and add this code to the very top (but underneath the opening <? ):
if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
die ('Please do not load this page directly. Thank you.');
-
Find this line AND DELETE IT:
$logout_page = "$siteurl";
-
Find these lines:
setcookie("logincookie[user]","",time() - 86400);
include($logout_page);
exit;
-
Change them to look like this:
setcookie("logincookie[user]","",time() - 86400);
include("login.php");
exit;
The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.
Edit #2: PHPAskIt DOES NOT REQUIRE REGISTER_GLOBALS TO BE ON. YOU CAN USE IT WITHOUT ANY PROBLEMS!