amelierosalyn

Skip navigation

1 post from November 2005

CodeGrrl scripts: security flaw

Regarding these scripts and ONLY THESE SCRIPTS:

FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes

There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read below for more details on what you can do.

This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.

Spread the word!

Edit: Ok, so all affected scripts have been removed from CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.

If you're using ANY of the scripts mentioned at the top of this post, do this immediately:

  1. Open up protection.php and add this code to the very top (but underneath the opening <? ):

    if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
    die ('Please do not load this page directly. Thank you.');

  2. Find this line AND DELETE IT:

    $logout_page = "$siteurl";

  3. Find these lines:

    setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;

  4. Change them to look like this:

    setcookie("logincookie[user]","",time() - 86400);
    include("login.php");
    exit;

The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.

Edit #2: PHPAskIt DOES NOT REQUIRE REGISTER_GLOBALS TO BE ON. YOU CAN USE IT WITHOUT ANY PROBLEMS!