BOARDS

planetluc.com discussion board

all about the planetlu.com scripts

You are not logged in.

Announcement

I had to clean the boards due to massive spam. Actually i deleted everything /-one after 1st Oct 2008. It was the only way to get this spam out of the boards. So i'm sorry for all serious users who registered/posted meanwhile.

#1 05-02-2007 06:21:21

jcliff
Member
Registered: 11-05-2006
Posts: 18

security exploit

My web host just informed me for the 2nd time in the past few months, that the script was used to send unsolicited emails. Is there a patch to fix any recent security issues anyone else has experienced?

Offline

 

#2 15-02-2007 21:04:18

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

I've communicated with one other user of this script and they indicated experiencing this security problem as well.

I'm not exactly sure how a hacker some how uses the script to send spam from my website server, in any event, Lukas replied to a recent email of mine indicating that it's not something he has the time to work on right now, but suggested that if I or anyone finds/writes a solution, they post it here.

Any help from another user familiar with the problem is much appreciated.

Offline

 

#3 16-02-2007 19:47:40

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Offline

 

#4 16-02-2007 20:29:43

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

Perhaps the following will shed light on the security problem (from an email from my webhost):

We have a firewall in place which monitors all activity; we can track and see which processes are running and there root path.

At the time of the exploit, this is what we found (listed below). As soon as we removed permissions to the “photo” folder; exploit immediately stopped. We had couple of processes running at the same time and massive amount of phishing email’s were being relayed through your account. 

Here are the files which were being executed at the time.

/pathtoscript/photo/

OLDadmin.inc.php
add.inc.php
admin.inc.php
edit.inc.php
funcs.inc.php
showres.inc.php


It appears CHMOD is not the issue with the script.

Last edited by jcliff (16-02-2007 20:31:51)

Offline

 

#5 17-02-2007 00:22:09

martin
Member
Registered: 29-07-2005
Posts: 12

Re: security exploit

I am the other user who contacted Lukas from planetluc regarding this issue.

My server was severely compromised due to the security hole in RATEME.  Hackers were able to infiltrate my server, install hacks that would send out tons of spam containing links to phishing sites that they installed on my server through RATEME.

The hackers then installed additional hacks on my server which allowed them to view the entire directory of my server, all files, etc. 

Users of RATEME should be informed about the severity of this issue.


The fact that the author of this script is not inclined to show support for this script clearly shows a lack of understanding on how serious the issue is.  Further more, it also clearly shows that security is not an important issue for the author, which leads me to beleive serious security holes could very well be present in the other scripts sold on this website.  And if they do, you will likely not receive support for any of your troubles...

Offline

 

#6 17-02-2007 00:29:32

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

RateMe is (better 'was') the only script on this server you had to pay for. Any other scripts are free. And maybe yes, maybe there are security lacks in those scripts, but you use those scripts on your own risk.

Offline

 

#7 17-02-2007 00:32:58

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

Sure - I apologise for all inconveniences that occurred using this script. But let's be honest, you cannot expect a 16 dollar script to work as flawlessly and securely as a $200 script does. right?

When I did this script i could not consider all eventualities of a hacker to abuse it.

Offline

 

#8 17-02-2007 02:42:29

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

Personally, I'm not nearly as disappointed in the fact that a security exploit existed.  Shit happens and it's not like it was intended.  The impact of being hacked sucks, but it happens, it's a constant battle on the web.  It would be unfair and unrealistic to expect such a problem emerging not being possible.

I find the indifference expressed by the response of "I'm busy" much more troubling.  Who's not busy?

Whether the script costs $1 or $100, whether future releases were planned or not, I find the notion that someone capable of authoring the script doesn't have even a mere matter of hours to at least investigate potential solutions, offer suggestions, collaborate with others that purchased the script, etc...well...irritating to be kind.

Offline

 

#9 17-02-2007 11:16:12

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

Ok guys, lets try this as fix (i'm not too sure whether this solves all our problems but let's try).

1. open add.inc.php
2. goto line 23 and add before

Code:

    // security addition
    if ($_FILES['picture']['type'] != "image/jpeg" && $_FILES['picture']['type'] != "image/jpeg"){
        $error .= "Please upload a JPG file.";    
    }
    //

this should at least check whether it is a JPG file that is being uploaded.

3. then we do about the same in edit.inc.php, so open it
4. go to line 26 and replace it by

Code:

if ($_FILES['newpic']['size']<$maxpicsize  && ($_FILES['picture']['type'] == "image/jpeg" || $_FILES['picture']['type'] == "image/jpeg")){

Offline

 

#10 23-02-2007 04:58:46

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

http://securitytracker.com/alerts/2006/Dec/1017431.html

This article, dated Dec 21 2006, seems to refer to the security exploit.

It also indicates a fix is available.  Was that information updated and does it reference what's been posted here?


A few other sites tracking the security issue in late December collected here:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6648

Last edited by jcliff (23-02-2007 05:17:55)

Offline

 

#11 26-02-2007 15:47:54

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

no. the quick fix above does not cover this security hole.

Offline

 

#12 07-03-2007 05:19:29

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

The '/forum/main.inc.html' script does not properly validate user-supplied input in the 'pathtoscript' parameter.

A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location.

As is, anyone that has purchased this script can no longer use it.

Is there any chance a modification to that one file could be provided?

Offline

 

#13 07-03-2007 10:52:14

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

well, another quick fix is:

- open the main.inc.php file
- goto the beginning of the code, about line 14
- add following code block

Code:

// security fix for the pathtoscript issue
$pinfo = parse_url(/forum/$pathtoscript/index.html);
if ($pinfo !== false){
    if (isset($pinfo['scheme'])) die("Bad path settiings!");
}

- save it
- upload it onto your server again

Offline

 

#14 07-03-2007 16:45:53

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

Thanks!

I've made the change and contacted my website hosting company to let them know we have something to test/run.

Offline

 

#15 07-03-2007 19:43:44

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

ok, let us know, whether this works effectively.

Offline

 

#16 11-03-2007 06:55:27

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

So far so good -- the script is working, and being monitored by my webost -- no reported hacks.

Offline

 

#17 11-03-2007 17:23:58

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

fine.

Offline

 

#18 02-05-2007 15:00:41

martin
Member
Registered: 29-07-2005
Posts: 12

Re: security exploit

Hi guys,
any news on this issue?
I received an email a few weeks ago from jcliff mentioning that the fix listed above was not enough according to his server admins.

Here is something I have found: http://www.securityfocus.com/archive/1/454708

Luc, any idea how we could patch the script further to make it really secure?   

I hate to insist, but I didn't find any other script out there that has the simplicity I need from rateme.

Thanks,

Offline

 

#19 09-08-2007 03:54:28

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

I've been informed by my webhost that the script has been exploited recently.

Has there been any modification to the code since the last problem?

Has anyone else experienced this problem (as I recall, the last time this began happening several sites had reports about the exploit and how it was happening)?

Offline

 

#20 18-08-2007 02:46:29

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

Excuse me, but I find it troubling to read new posts regarding the sale of this script, and I understand that ongoing support has been offered as some sort of "buyer beware" -- but with a known security issue (as has been linked previously in this thread months ago), I would think the issue would be addressed more promptly.

Is the "fix" at this point to merely hope that the script doesn't get hacked???

Offline

 

#21 18-08-2007 08:58:52

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

well the exploit desribed in the link 2 posts ago was fixed.

Offline

 

#22 19-08-2007 06:35:54

jcliff
Member
Registered: 11-05-2006
Posts: 18

Re: security exploit

admin wrote:

well the exploit desribed in the link 2 posts ago was fixed.

I'll try to get more details in terms of how, but as it was explained to me by my webhost, they've shut the directory down in which the script was located because it was exploited again.

Offline

 

#23 19-08-2007 11:12:43

admin
Administrator
From: Winterhur, Zurich, Switzerland
Registered: 25-11-2004
Posts: 462
Website

Re: security exploit

...maybe some specific info from your hostsing company would help improving this script

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson

 
 
© 2003-2010 by planetluc.com · Bachtelstrasse 104 · CH-8400 Winterthur | Support | Login |