Page 1 of 1
Is this script really so insecure?
Posted: Fri Jun 14, 2002 9:31 pm
by lc
Hia folks
Well a little while back I decided I wanted to write me a small flatfile bb in php... thus I did, and I actually like the thing.
But apparently someone figured out how to reach the admin functions and thought it would be cute to delete all registered users (not many) and delete the forum template as well. grrrrrr Why that's fun I do not know, why not in stead inform me of the error I do not know... really <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> me off (xcuse my french)
You write a nice script and give it away for free to anyone who wants it.. then some idiot ... well acts like the idiot he is.
Can someone perhaps take a minute to have a looksee to see if you can figure out what he did... then tell me so I can remedy it, cause I really would like to know how it's done.
The URL is:
http://www.alienhelpdesk.com/ahdbb.php
Oh and please don't go and alter anything
Thanks
LC
Posted: Mon Jun 17, 2002 7:50 am
by e+
I can't get the bb to work for me, has it been hacked again? I keep on getting lots of errors all over the show.
Warning: file("verybb/sections/A/threads.txt") - No such file or directory in /usr50/home/alienhel/public_html/verybb/bbinc/script/view_subsections.inc on line 9
I think this sort of thing would make a hackers life much easier as you are letting them view all your scripts and telling them what variable names you are using. My guess is they just passed a couple of varialbes along in your url and broke your site that way. Just a guess.
Posted: Mon Jun 17, 2002 9:37 am
by qads
this is what could've happend: you used sessions for users to login and used sessions for your self as a admin, if so then you must've named both session the same e.g. "login" and "login".
now, if a user is loged in as a user and goes to admin area, the php script will think he already loged in as a admin so it would give access to stuff it should't.
to stop this happenin agian, i would rename the sessions, and make sure that they don't have a same name.....
how did i find this out? the easy way i guess
i was makeing a user manger when i discoverd that i could be loged in as a user and still get access to admin area.....after changeing there names it worked correctly..
but it took a while to see why it was happening....
i hope you understand............
Posted: Mon Jun 17, 2002 6:48 pm
by lc
Well guys thanks for trying but apparently it wasn't a one off. My guess is the feller who hacked it now thinks he is master of the site and keeps coming back.
or at least it's been done again.
And I know it's insecure but I didn't use sessions. In stead after someone logs in the ? variables in the links contain their login code. Same for the administrator though not the same type of code for him.
I think the guy probably let loose a script to try out all possibilities though that would be a bit much.
So what would be the bestest way? Sessions and with a sepparate session for the administrator?
Also naturally the guy downloaded the script, had a look at the code and figured out a way. I am seriously considering not giving away my scripts anymore. I don't need this.
For now I am removing the BB alltogether. Don't want to come back and have to reupload half of it every day.
thx folks
Posted: Mon Jun 17, 2002 7:16 pm
by lc
Actually I just had a thought.
Wouldn't it be easiest to keep the admin functions of a script away from non administrators to just create a page sepparate from the main script page without a link to it. Just keep no reference to it on the site so that no one can find it except you.
is that secure enough? would you even need to password protect that? I mean only way someone could find out is by tracking your surfing or hacking your computer somehow no? and in that case they'd probably know most of your passwords anyway?
Am I completely off target here?
I mean I really am someone who tries to always hope that no one would even want to hack anything... since I have no idea why you would.
I'd like the simplest possible solution.
Posted: Tue Jun 18, 2002 3:20 am
by qads
These kinda things make your heart sink don't they? but just cos of one idiot, don't stop helping others, you just have to think a bit more before you make a script next time.
it never happend to me for some reason, my scripts uselly have few bugs in them too, but i test them my friends before i upload them to my site.
so you should get people to test your scripts before you Release them.
just post your links here and i am sure people here would love to see your scripts.