1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Serious security flaw in PHPLD 2! Here's the fix...

Discussion in 'Directories' started by Tim_Myth, Oct 17, 2006.

  1. #1
    This same information is also posted in the phpld forums: http://www.phplinkdirectory.com/forum/showthread.php?t=6931

    In PHPLD 2 (unsure if this also applies to 2.1 and/or 3.0), it is possible to submit malicious javascript in the description, title, and owner's name fields. For example, submitting a link with the following description will cause many of the links awaiting approval to be "automatically" approved.
    Malicious code removed
    Code (markup):
    So imagine this: Joe Spammer comes along and submits a bunch of links to porn and/or drug sites, then submits a link with this javascript in the description, title, or owner's name field. You see dozens of new link emails in you inbox and log into your directory admin panel approve or reject them. However, as soon as you click over to the Approve Links page, this javascript takes over and begins programatically clicking all the Approve links on the page. Now you must sort through your directory to find all the links that were approved without your approval.
    SEMrush
    Fortunately, the fix is rather simple. Open your submit.php file in your favorite editor and find these lines (on or around line 125):
    	$data['LAST_CHECKED'] = gmdate('Y-m-d H:i:s');
    	$data['DATE_ADDED'] = gmdate('Y-m-d H:i:s');
    	$data['DATE_MODIFIED'] = gmdate('Y-m-d H:i:s');
    
    Code (markup):
    Insert these three new lines of code after them:
    	$data['DESCRIPTION'] = strip_tags($data['DESCRIPTION']);
    	$data['TITLE'] = strip_tags($data['TITLE']);
    	$data['OWNER_NAME'] = strip_tags($data['OWNER_NAME']);
    
    Code (markup):
    This code will strip all the html tags from the Description, Title, and Owner's Name fields (in case it wasn't obvious). As a caveat, it will also prevent your admin panel from being hidden by spammers who are currently submitting malformed html links that say crap like "My dear web designer, it is nice."
     
    Tim_Myth, Oct 17, 2006 IP
    romow and thewindmaster like this.
    SEMrush
  2. SFOD_D223

    SFOD_D223 Peon

    Messages:
    4,514
    Likes Received:
    174
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Thanks for the info. How is it possible to tell what version of the phpld you are using?
     
    SFOD_D223, Oct 17, 2006 IP
  3. Tim_Myth

    Tim_Myth Peon

    Messages:
    741
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    0
    #3
    At the end of the comments section at the top of the submit.php file you will see the version number:
     
    Tim_Myth, Oct 17, 2006 IP
  4. romow

    romow Peon

    Messages:
    2,167
    Likes Received:
    135
    Best Answers:
    0
    Trophy Points:
    0
    #4
    nice tip! I'm often receiving malformed submissions from spammers.
    Your mod should address that nicely.
    Cheers,
     
    romow, Oct 17, 2006 IP
  5. dvduval

    dvduval Notable Member

    Messages:
    3,306
    Likes Received:
    341
    Best Answers:
    1
    Trophy Points:
    260
    #5
    Tim, it might be good if you edit your original post and remove the instructions creating malicious code. I will look into this.
     
    dvduval, Oct 17, 2006 IP
  6. Tim_Myth

    Tim_Myth Peon

    Messages:
    741
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Good point. :eek:
     
    Tim_Myth, Oct 17, 2006 IP
  7. dvduval

    dvduval Notable Member

    Messages:
    3,306
    Likes Received:
    341
    Best Answers:
    1
    Trophy Points:
    260
    #7
    I moved your post in phpLD into the moderators forum so we can investigate it. Thanks for reporting this.
     
    dvduval, Oct 17, 2006 IP
  8. Tim_Myth

    Tim_Myth Peon

    Messages:
    741
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    0
    #8
    A buddy of mine showed me two very interesting snippets of javascript concerning this flaw. The first would change your username and password, thus giving the hacker access and locking you out. The second changed your paypal address, thus sending all future link payments to the hacker instead of you! If you haven't patched your directories against this yet, you could have serious issues soon.
     
    Tim_Myth, Oct 26, 2006 IP
  9. dkessaris

    dkessaris Peon

    Messages:
    984
    Likes Received:
    119
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Does this affect phpld3 as well?
     
    dkessaris, Oct 26, 2006 IP
  10. an0n

    an0n Prominent Member

    Messages:
    5,689
    Likes Received:
    913
    Best Answers:
    0
    Trophy Points:
    310
    #10
    No, 3.x is fine.
     
    an0n, Oct 26, 2006 IP
  11. loopy62

    loopy62 Peon

    Messages:
    668
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    0
    #11
    yet another reason why upgrading to 3.0x is in order. speaking of which, I need to uprgade mine soon.
     
    loopy62, Oct 26, 2006 IP
  12. Tim_Myth

    Tim_Myth Peon

    Messages:
    741
    Likes Received:
    52
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I understand that you guys don't want to support the free script anymore, and you're trying to sell more copies of version 3. I think you guys have done a tremendous job, and phpld is one of the best directory scripts available. Perhaps you could drive even more sales if you would release some official warning about this that showed up in the directory owner's new section of the admin panel. Leaving users completely in the dark about a security flaw smacks of bad karma. You could easily make one small bit of news that said "Version 2.xx has a security flaw, and no official patch will be released to fix it. Version 3 is free of the security flaw, and it is recommended that you upgrade."

    PS - My testing of about 500 directories showed a minimum of 41% were vulnerable to theis flaw. 28% were indeterminant. Using the "10,000 installs" number from the front page of www.phplinkdirectory.com, this means as many as 6900 sites are easily hackable by a spammer.
     
    Tim_Myth, Oct 27, 2006 IP
  13. Kevin82

    Kevin82 Guest

    Messages:
    230
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Edited the code. Thanks for the heads up tim
     
    Kevin82, Oct 27, 2006 IP
  14. an0n

    an0n Prominent Member

    Messages:
    5,689
    Likes Received:
    913
    Best Answers:
    0
    Trophy Points:
    310
    #14
    Tim, you can slow down now and catch your breathe. i personally patched 2.0 and 2.1 this morning.
     
    an0n, Oct 27, 2006 IP
  15. dvduval

    dvduval Notable Member

    Messages:
    3,306
    Likes Received:
    341
    Best Answers:
    1
    Trophy Points:
    260
    #15
    Yep, thanks anon!
    While this is something like a 5 on a scale of 1 to 10, I think it is pretty amazing this is the first real security flaw we've ever had, and fortunately it is easy to fix.
     
    dvduval, Oct 27, 2006 IP
  16. eDom.co.uk

    eDom.co.uk Active Member

    Messages:
    247
    Likes Received:
    22
    Best Answers:
    0
    Trophy Points:
    78
    #16

    Thanks a lot!!! I've patched my directories, feel safe now... :D

    Take care,
    Michael
     
    eDom.co.uk, Oct 27, 2006 IP