Skip navigation

2 posts from September 2006

CodeGrrl scripts and Surpass Hosting

If by now you aren't aware of the serious vulnerabilities that exist within's most popular scripts then I would recommend that you educate yourself as a matter of urgency.

As a result of the above vulnerability, I have recently discovered that certain people have been telling others to delete the affected file, protection.php, to avoid being hacked.


Deleting protection.php takes away the admin panel's password protection and you will be leaving your scripts wide open to much more than hacking.

At first I thought it was just a misinformed user telling others what they thought was best - I was wrong. Today I was alerted to the fact that it is in fact Surpass Hosting that is spreading this very seriously incorrect advice.

Please spread the word about this. Deleting protection.php is about as secure as leaving it unpatched on the server. You WILL be hacked if you leave it unpatched, and you will also be hacked if you delete it. If you've deleted protection.php, put it back as soon as possible and tell anyone else who may have deleted it to do the same.

If you are at all worried about running PHPFanBase or any other affected script and have decided against keeping said scripts, you need to delete ALL the files associated with the scripts, not just protection.php.

Oh, and Surpass have apparently banned my script, PHPAskIt, because they believed the recent security vulnerability hoax that stated that my script could be hacked like the rest of the CG scripts. It CAN'T. It is not based on PHPFanBase like the vulnerable CodeGrrl scripts are, and can NOT be hacked through protection.php (there is no such file anyway) or through any similar method in other files.

Spam blogs

Jem wrote an article about this (and a blog entry), and I just had to pick up on it myself since I am seeing more and more of it going on.

Ok so let's say you've just bought your first domain. You've finally moved off free servers full of ads and you can make your site look exactly how you want without being restricted in terms of what you put where so you don't hide your hosts' ads. When I got my first domain, I was so happy to finally be free of adverts, as well as of course having a nice short name instead of

Right, so, after purchasing your domain, you suddenly notice you can't afford it any more. What to do? Cancel the hosting account and go back to free hosts until you make a bit of a saving? Oh no, you plaster your site with ads. Right. But that's not what annoys me most, I can deal with a couple of adverts here and there (except popups, I can't stand popups). What I find the most annoying these days is this sudden rise in "being paid to blog". Basically you write posts about a given topic, link some company 20985320958 times and you make dollaz. Easy. But say goodbye to your visitors - I won't be coming back to your site if it's full of this sort of thing:

The other day, I went shopping and it was really good! All the shops were really nice and I ended up buying loads of stuff!1!1!

Then I came home and decided we should move! We looked at online realtors and found ourselves the perfect home!

Fabricated blog entries full of keywords meant to up the PageRank of the company you're meant to be plugging. What I don't get is that I've seen countless sites full of these things, and each time there are loads of comments from idiots who obviously can't tell that it's a spam post (an intentionally spammy post, but a spammy post all the same). Gah. And these people who post these things - would they ever read an actual spammy site, i.e. one made by a bot? No, they wouldn't. At least two of the "paid to blog" bloggers I've seen go round actively reporting automated spam blogs. How would they like it if someone did that to them? I can't believe that these people still have visitors. Not one post they make is genuine any more.

In other news, I seem to have lost SpamAssassin since moving to my new host, so I now get all the spam sent to me delivered to my inbox. :( Before, SA would delete it all for me and I'd have a nice clean inbox to look at with only genuine emails arriving. Thunderbird is doing an excellent job of filtering things when they arrive, but it's annoying that they arrive in the first place. Oh well, at least people can actually get to my site now. I can live with a bit of email spam if it means my site isn't constantly down for people.