amelierosalyn

Skip navigation

CodeGrrl scripts: security flaw

Regarding these scripts and ONLY THESE SCRIPTS:

FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes

There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read below for more details on what you can do.

This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.

Spread the word!

Edit: Ok, so all affected scripts have been removed from CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.

If you're using ANY of the scripts mentioned at the top of this post, do this immediately:

  1. Open up protection.php and add this code to the very top (but underneath the opening <? ):

    if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
    die ('Please do not load this page directly. Thank you.');

  2. Find this line AND DELETE IT:

    $logout_page = "$siteurl";

  3. Find these lines:

    setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;

  4. Change them to look like this:

    setcookie("logincookie[user]","",time() - 86400);
    include("login.php");
    exit;

The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.

Edit #2: PHPAskIt DOES NOT REQUIRE REGISTER_GLOBALS TO BE ON. YOU CAN USE IT WITHOUT ANY PROBLEMS!

Please note: this post is now over 1 decade old.

Older posts are archived for historical reasons and also for those who may find their contents useful. Facts, links or opinions within this article are likely to have changed; the article itself may also no longer represent my own views on the subject. Please bear this in mind when reading these posts.

Comments (6)

  1. thank you for the fixes, I've added them to my scripts :)
    I'm using FanAdmin, so I deleted all that stuff from my folder. I just hope FanAdmin won't be hacked sooner or later :/

    Adastra's Gravatar Adastra on

  2. Wow Amelie.. I bet you have a headache already don't you? :(

    Jamie's Gravatar Jamie on

  3. Thank you so much for the fixes! Thank goodness for people like you with healthy,juicy, php brainmeats!

    Bex's Gravatar Bex on

  4. Thanks so much for doing this! My site was one of the ones that was defaced, so I'm really glad to have this fix. :)

    Meggan's Gravatar Meggan on

  5. Wow. I now don't regret never switching to php. Do you know if Waks ask and answer is safe? It's the only php script I have.

    Kirsty's Gravatar Kirsty on

  6. It should be ok but remember that nothing is 100% secure. So far it looks like it's ok, I haven't heard of anyone being hacked using Wak's scripts yet. :)

    Amelie's Gravatar Amelie on

Next entry: PHPAskIt Security Vulnerability