I downloaded this script and it looks great BUT i was informed by my hosting company that it is VULNERABLE . . . LOL what ever that means. im not to fimiliar with php and searched for secure index.php in and secure php pages in google but didnt really get any help so here it is . . . I dunno even what i am really looking for . . . OKAY I MIGHT HAVE FOUND SOMETHING . . . i just pasted this code in here and saw "include($file);" and in something i ran across in google said to replace that line with something else on here it looks like i can just erase it and it wont do any harm BUT is this the HAZARD ? <? require ("config.php"); include("functions.php"); if(!isset($cmd))$cmd=1; switch($cmd) { case 1:$file="mainpage.php"; if(!empty($vote)&&(!empty($photoid))) { $id=$photoid; if(isset($ratingcookie)) { if(!(strpos($ratingcookie,"*$id*")===false)) { $msg="You have already rated this!"; } } if(isset($vote)) { if(isset($ratingcookie)) { $ratingcookie=$ratingcookie."*$id*"; setcookie("ratingcookie",$ratingcookie); } else { $ratingcookie="*$id*"; setcookie("ratingcookie",$ratingcookie); } submitRating($id,$vote); $msg="Your rating has been submitted!"; } $username=""; } break; case 2:$file="signup.php"; if(isset($username)) { $validcode=""; $sql="select * from members where username='$username'"; $res=mysql_query($sql); if(mysql_num_rows($res)) { $err=true; } else { $act=getSetting("AUTOSIGNUP"); if($act=="Y") { $active=1; } else { $active=0; $validcode=generateCode(); } $sql="insert into members(username,password,email,age,gender,about,city,country,msn,active,aol,yahoo,icq,fname,lname,commentemail,messageemail,validcode,joindate) values('$username','$password','$email',$age,'$gender','$about','$city','$country','$msn',$active,'$aol','$yahoo','$icq','$fname','$lname','$commentemail','$messageemail','$validcode',now())"; $res=mysql_query($sql); $uniqid=mysql_insert_id(); if($act=="Y") { $template=getTemplate("NEWMEMBER"); $template=str_replace("%username%",$username,$template); $template=str_replace("%password%",$password,$template); sendHTMLmail($adminemail,$email,"Welcome to $urldomain",$template); $newmember=true; $file="login.php"; } else { $template=getTemplate("EMAILVALIDATION"); $template=str_replace("%username%",$username,$template); $template=str_replace("%password%",$password,$template); $template=str_replace("%validcode%",$validcode,$template); sendHTMLmail($adminemail,$email,"Validation Code from $urldomain",$template); $file="validcode.php"; } } } break; case 3:$file="login.php"; if(isset($username)) { $sql="select password,active from members where username='$username'"; $result=mysql_query($sql); while($row=mysql_fetch_array($result)) { $dbpass=$row[0]; $active=$row[1]; } if($dbpass==$password) { if($active==2) { $error="wu"; $file="login.php"; } else if($active==0) { $file="validcode.php"; } else { session_start(); $ses_username=$username; session_register("ses_username"); if(empty($repusername)&&empty($rphid)) { $username=""; $file="mainpage.php"; } else if(!empty($repusername)) { $username=$repusername; $file="sendmessage.php"; } else if(!empty($rphid)) { $phid=$rphid; $file="postcomment.php"; } } } else { $error="wu"; $file="login.php"; } } break; case 4:$file="validcode.php"; if(isset($username)) { $sql="select * from members where username='$username' and password='$password' and validcode='$validcode'"; $result=mysql_query($sql); if(mysql_num_rows($result)) { $sql="update members set active=1 where username='$username'"; $updated=true; mysql_query($sql); session_start(); $ses_username=$username; session_register("ses_username"); $username=""; $file="myphotos.php"; } else { $error="wu"; } } break; case 5:$file="editprofile.php"; include("checksession.php"); if(isset($password)) { if($commentemail=="")$commentemail="N"; if($messageemail=="")$messageemail="N"; $sql="update members set password='$password',email='$email',age=$age,gender='$gender',about='$about',city='$city',country='$country',msn='$msn',aol='$aol',yahoo='$yahoo',icq='$icq',fname='$fname',lname='$lname',commentemail='$commentemail',messageemail='$messageemail' where username='$ses_username'"; $updated=true; mysql_query($sql); } break; case 6:$file="myphotos.php"; //include("checksession.php"); if(isset($addpic)) { $approved=getSetting("APPROVEPIC"); if(!empty($url)) { $sql="insert into photos(url,filename,username,upldate,approved) values('$url','$filename','$ses_username',now(),'$approved')"; $res=mysql_query($sql); } else if(!empty($uppic_name)) { $allowable=getSetting("ALLOWEDFORMATS"); $allowablearr=split(",",$allowable); $allowedType=0; $ext=strchr($uppic_name,"."); if(in_array($ext,$allowablearr))$allowedType=1; if($allowedType==1) { $fileid=generateShortCode(); $filename=$ses_username.$fileid.$ext; $copytofile="pics/$filename"; copy($uppic,$copytofile); @unlink($uppic); $sql="insert into photos(url,filename,username,upldate,approved) values('$url','$filename','$ses_username',now(),'$approved')"; $res=mysql_query($sql); } else { @unlink($uppic); $uperror="Format not supported!"; } } if($approved=="Y") { $error="Image has been added."; } else if($error=="") { $error="Image is awaiting approval."; } } break; case 7:$file="inbox.php"; include("checksession.php"); if(isset($rowcount)) { for($i=0;$i<$rowcount;$i++) { if(isset($chk[$i])) { $sql="delete from messages where messagesid=$chk[$i]"; mysql_query($sql); } } } break; case 8:$file="viewmessage.php"; if(isset($delid)) { $sql="delete from messages where messagesid=$delid"; mysql_query($sql); $cnarr=getPrevNextMessages($delid); $nextid=$cnarr[1]; if($nextid==0) { $file="inbox.php"; } else { $msgid=$nextid; } } include("checksession.php"); break; case 9:$file="replymessage.php"; include("checksession.php"); if(isset($tousername)) { $sql="insert into messages(message,fromusername,tousername,upldate,subject) values('$message','$ses_username','$tousername',now(),'$subject')"; newMessageSent($ses_username,$tousername); $res=mysql_query($sql); $mheading="Message sent"; $mmessage="Your message has been sent to $tousername"; $file="displaymessage.php"; } break; case 10:$file="viewpics.php"; break; case 11:$file="searchresults.php"; break; case 12:$file="postcomment.php"; $rphid=$phid; include("checksession.php"); if(isset($comment)) { $approved=getSetting("APPROVECOMMENTS"); $sql="insert into comments(comment,photosid,byusername,approved,postdate) values('$comment',$phid,'$ses_username','$approved',now())"; newCommentPosted($ses_username,$phid); $res=mysql_query($sql); $mheading="Comments saved"; $mmessage="Your comments has been saved!"; $file="displaymessage.php"; } break; case 19:$file="sendmessage.php"; $repusername=$username; include("checksession.php"); break; case 20:$file="viewprofile.php"; break; case 21:$file="myphotos.php"; include("checksession.php"); $sql="select * from photos where photosid=$id"; $res=mysql_query($sql); while($obj=mysql_fetch_object($res)) { if($obj->filename!="")@unlink("pics/$obj->filename"); } $sql="delete from photos where photosid=$id"; $res=mysql_query($sql); break; case 22: session_destroy(); $ses_username=""; $username=""; $file="mainpage.php"; break; } include("header.php"); ?> <div align="left"> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td width="80%" align="left" valign="top"> <? include($file); ?> </td> </tr> </table> <br> </div> <div align="left"> <? include("footer.php"); ?> <? include("conclose.php"); ?>
Having a quick look, seems you don't sanitize $username input. You can get SQL Injection on that query. But the include($file) was REALLY more dangerous. You can try $username = mysql_real_escape_string($username) in the beginning of the second option, just before the SQL sentence.
include($file) is a potential security risk because if register_globals and allow_url_fopen are turned on, then a user can manipulate $file and other variables to prevent $file being assigned anything else and have an url to an offsite file containing malicious code be executed. You should be able to prevent this by putting if (stripos('http://',$file) !== false) { $file = ''; } PHP: Either at the start of your code or right before the include($file);
LOL and it sort of stinks because it looks quite nice . . . its JNS Hosts hot or not clone http://www.jnshosts.com/downloads/hot-or-not-clone-script/index.php im starting to think even if i some how piece together this file OTHERS will have the same code somewhere . . .
This is what makes a webhosts life hard. how many people are using that free script I wonder? Your host is damn right to have warned you.
Take a look at these 3 security articles to help you fix up your errors and make you more security conscious : 1 2 3