This same information is also posted in the phpld forums: http://www.phplinkdirectory.com/forum/showthread.php?t=6931 In PHPLD 2 (unsure if this also applies to 2.1 and/or 3.0), it is possible to submit malicious javascript in the description, title, and owner's name fields. For example, submitting a link with the following description will cause many of the links awaiting approval to be "automatically" approved. Malicious code removed Code (markup): So imagine this: Joe Spammer comes along and submits a bunch of links to porn and/or drug sites, then submits a link with this javascript in the description, title, or owner's name field. You see dozens of new link emails in you inbox and log into your directory admin panel approve or reject them. However, as soon as you click over to the Approve Links page, this javascript takes over and begins programatically clicking all the Approve links on the page. Now you must sort through your directory to find all the links that were approved without your approval. Fortunately, the fix is rather simple. Open your submit.php file in your favorite editor and find these lines (on or around line 125): $data['LAST_CHECKED'] = gmdate('Y-m-d H:i:s'); $data['DATE_ADDED'] = gmdate('Y-m-d H:i:s'); $data['DATE_MODIFIED'] = gmdate('Y-m-d H:i:s'); Code (markup): Insert these three new lines of code after them: $data['DESCRIPTION'] = strip_tags($data['DESCRIPTION']); $data['TITLE'] = strip_tags($data['TITLE']); $data['OWNER_NAME'] = strip_tags($data['OWNER_NAME']); Code (markup): This code will strip all the html tags from the Description, Title, and Owner's Name fields (in case it wasn't obvious). As a caveat, it will also prevent your admin panel from being hidden by spammers who are currently submitting malformed html links that say crap like "My dear web designer, it is nice."
At the end of the comments section at the top of the submit.php file you will see the version number:
nice tip! I'm often receiving malformed submissions from spammers. Your mod should address that nicely. Cheers,
Tim, it might be good if you edit your original post and remove the instructions creating malicious code. I will look into this.
I moved your post in phpLD into the moderators forum so we can investigate it. Thanks for reporting this.
A buddy of mine showed me two very interesting snippets of javascript concerning this flaw. The first would change your username and password, thus giving the hacker access and locking you out. The second changed your paypal address, thus sending all future link payments to the hacker instead of you! If you haven't patched your directories against this yet, you could have serious issues soon.
yet another reason why upgrading to 3.0x is in order. speaking of which, I need to uprgade mine soon.
I understand that you guys don't want to support the free script anymore, and you're trying to sell more copies of version 3. I think you guys have done a tremendous job, and phpld is one of the best directory scripts available. Perhaps you could drive even more sales if you would release some official warning about this that showed up in the directory owner's new section of the admin panel. Leaving users completely in the dark about a security flaw smacks of bad karma. You could easily make one small bit of news that said "Version 2.xx has a security flaw, and no official patch will be released to fix it. Version 3 is free of the security flaw, and it is recommended that you upgrade." PS - My testing of about 500 directories showed a minimum of 41% were vulnerable to theis flaw. 28% were indeterminant. Using the "10,000 installs" number from the front page of www.phplinkdirectory.com, this means as many as 6900 sites are easily hackable by a spammer.
Yep, thanks anon! While this is something like a 5 on a scale of 1 to 10, I think it is pretty amazing this is the first real security flaw we've ever had, and fortunately it is easy to fix.