1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Warning for IndexScript powered directory owners

Discussion in 'Directories' started by mariush, Oct 6, 2007.

0
  1. #1
    I have noticed in my directory a lot of directories submitted that were hacked because of an exploit that was recently published:

    http://secunia.com/advisories/26218/

    Webmasters using IndexScript should update to the latest version, so that they are not vulnerable.
    Also, you should remove the Powered by Indexscript in the footer or convert that text to an image because hackers can use that phrase to find directories to hack.

    Sorry if it was already said or if it's the wrong category, I can't think of a better one right now.

    Fix appears to be here: http://www.indexscript.com/forum/showthread.php?t=2266 (though from what i read in the forum post he's somewhat lousy at programming php)
     
    mariush, Oct 6, 2007 IP
  2. Colbyt

    Colbyt Notable Member

    Messages:
    3,224
    Likes Received:
    185
    Best Answers:
    0
    Trophy Points:
    210
    #2
    I really take offense at what you have said in this post.

    First off this is very old news. The script was fixed the same day the problem was discovered.

    The programmer chose to be modest and admit that he made a mistake. And you want to make a big deal out it.

    If you were a regular user and visitor to the indexscipt site you would have know about this and had the fix the first day the problem occurred.
     
    Colbyt, Oct 6, 2007 IP
    silencer likes this.
  3. malcolm1

    malcolm1 Prominent Member

    Messages:
    7,148
    Likes Received:
    758
    Best Answers:
    0
    Trophy Points:
    310
    #3
    Agreed Index script or daboss here at DP, had a fix within 24 hours as i have one of their scripts ;)

    thx
    malcolm
     
    malcolm1, Oct 6, 2007 IP
    silencer likes this.
  4. silencer

    silencer Notable Member

    Messages:
    1,062
    Likes Received:
    233
    Best Answers:
    0
    Trophy Points:
    230
    #4
    I think the onus is more on the directory owner here. We had to remove a few directories in our last update, because they remain hacked despite the fix being available.

    You can't blame the programmer if the owners won't employ the fix.
     
    silencer, Oct 6, 2007 IP
  5. mariush

    mariush Peon

    Messages:
    562
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #5
    The last update to Secunia advisory was two months ago and even so, I still see hacked directories when I review old submissions or directories submitted only a week or so ago. I don't think it's bad to remind people and I don't see why it bothers you so much, considering there are worse offenders than me.
    I don't have anything with the programmer, it's just that his method of fixing the issue shown in the forum does not make me trust him more, that he would be able to fix other vulnerabilities.

    You don't fix something like this by looking by adding in the function with problems code like this:

    
  if(stristr($temp, "dir_login")) {
    $temp = "";
  }
    PHP:
    which essentially looks in the string for "dir_login" and clears the string if dir_login is found.
    To make an example, if I'd probably submit the website "http://www.mydir_login.com" the escape function will now clear the url before submitting to the database because it contains the string "dir_login".
    I didn't check the script in detail because I don't use it, I write my own scripts, so it may not be true what I say anymore.

    An easier way to fix this exploit would have been to teach users how to remove UNION right in mySQL and to properly test if the received parameter was a number, not a string.
     
    mariush, Oct 7, 2007 IP