amelierosalyn

Skip navigation

All posts tagged with "Scripts"

Akismet for Guestblock

I'm not sure if anyone else has done this or not, but since my Guestblock started getting ridiculously spammed yesterday (I've only had it about 2 weeks!), I decided to do something about it. The built-in spam protection wasn't working, and blocking IP addresses is about as useful as telling those spammers how naughty they are for leaving their messages all over your site. Tut.

Sooo. After successfully implementing Akismet into my CMS a while ago, I wondered whether I'd be able to do the same for Guestblock (the main site is kind of dead right now). Lo and behold, I have successfully done it.

If anyone is interested in the modification for their guestblocks, let me know. Please note that in order to use the Akismet anti-spam system you must have an account at Wordpress.com.

Woo!

PHPAskIt Security Vulnerability

It has been brought to my attention that there is a serious security vulnerability within all versions of PHPAskIt, which states that the conversion scripts for Wak's Ask&Answer and the classic Ask&Answer can be hacked through the directory variables.

The security vulnerability is a hoax. The import files CANNOT be hacked through the $qadir and $dir variables even with register_globals on.

I find it such a shame that the person who discovered this has gone round telling everyone who will listen that my script's insecure (and every major security site there is) but 1) won't inform me (I found out through a Google search) and 2) makes things up. I've contacted them several times but each time the mail has bounced back. *Rolls eyes* How mature.

CodeGrrl scripts: security flaw

Regarding these scripts and ONLY THESE SCRIPTS:

FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes

There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read below for more details on what you can do.

This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.

Spread the word!

Edit: Ok, so all affected scripts have been removed from CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.

If you're using ANY of the scripts mentioned at the top of this post, do this immediately:

  1. Open up protection.php and add this code to the very top (but underneath the opening <? ):

    if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
    die ('Please do not load this page directly. Thank you.');

  2. Find this line AND DELETE IT:

    $logout_page = "$siteurl";

  3. Find these lines:

    setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;

  4. Change them to look like this:

    setcookie("logincookie[user]","",time() - 86400);
    include("login.php");
    exit;

The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.

Edit #2: PHPAskIt DOES NOT REQUIRE REGISTER_GLOBALS TO BE ON. YOU CAN USE IT WITHOUT ANY PROBLEMS!