Jun 18 2007

More Insecure Scripts

As well as updating my Unsafe Scripts page to give more clarification about which scripts are bad and which are not (with funky icons!) I have also added two new brief reviews…

Link Up Free
Link Up Free is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation.

LittleWallOButtons
Although some effort has been made to make the script secure by using basic sanitisation, those with more advanced PHP knowledge may be able to create a malicious PHP file and give it an image extension (.gif, .jpg, etc). By linking to this dodgy file as the button URL we can bypass the extension checking and execute PHP code (much like a CAPTCHA). (Unable to execute a proof of concept; see On Being Wrong)

Be secure people, be secure!

18

Tags: , , .

Warning

This post is over 6 months old. This means that, despite my best intentions, it may no longer be accurate. Age, motherhood, experience, loss... these things have all changed me from when this blog was started back in the heady (ha) days of my youth.

As much as I would like to go back and edit 10 years of archives to provide an insight into the 'me' of now — to update coding snippets and revise website advice — it would probably take years to do so (by which point I'd have to start again!) This would defeat the point of keeping these archives anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey.

18 Responses so far

  1. Rachael says: June 18, 2007 at 9:32 pm # ·

    Oh I’m glad I don’t use these scripts… The only scripts I use are phpaskit and fanupdate… tell me they’re secure! please?

  2. Bubs says: June 18, 2007 at 9:41 pm # ·

    Did you get my email with the Button Board code? If you did and haven’t gotten around to it, I’m not rushing :)

  3. Chrissy says: June 18, 2007 at 10:09 pm # ·

    You’re too awesome. :)

  4. Amanda says: June 18, 2007 at 10:34 pm # ·

    Never heard of those two scripts. I’m safe. :P

  5. Aaron says: June 18, 2007 at 11:53 pm # ·

    I’ve only ever used Waks A&A before and since no one asked me anything, I got rid of it. That was before I found out it was insecure. The only script or tool I use now is WordPress. Luckily you’re always on top when it comes to educating the web about insecure scripts!

  6. Sara says: June 19, 2007 at 12:38 am # ·

    Thank goodness for you, Jem… or, I would probably be filling my sites with bad scripts… wait, I’m not currently using any! DUH! Oh well, that page is great for future reference. :D

  7. Darren says: June 19, 2007 at 1:02 am # ·

    Never heard of those scripts, so I’m good. :)

  8. Jessica says: June 19, 2007 at 3:06 am # ·

    I never heard of those scripts, luckily. Way to go Jem. :)

  9. Nyx says: June 19, 2007 at 3:44 am # ·

    Still no safe alternative to SimpleDir? :(

  10. Donnie says: June 19, 2007 at 4:34 am # ·

    Jem, in the case of LittleWallOButtons, how does linking to an invalid image via the XHTML img tag make the user of the script susceptible to any attacks? If it isn’t a valid image and if it is indeed a “dodgy file”, the file will be executed on the wanna be attacker’s server; the script it’s self will simply display a broken image. I don’t see why this deserves to be labeled as an “Insecure Scripts”.

  11. Jordan says: June 19, 2007 at 4:43 am # ·

    Actually, speaking from personal experience not from the script listed, but rather having a user create an injection script and save it as an image through a support script vulnerbility, it is most definitely possible execute using this method.

  12. Donnie says: June 19, 2007 at 4:56 am # ·

    Jordan, the script doesn’t upload the image; it only links to an external image.

  13. Amber says: June 19, 2007 at 5:56 am # ·

    Thanks for the inclusion of the directory scripts. :)

  14. Tanya says: June 19, 2007 at 7:25 am # ·

    Thanks for the heads up on this, Jem.

  15. Jem says: June 19, 2007 at 7:55 am # ·

    @Donnie: It’s a form of CSRF attack – although the damage would likely be limited because there is very little functionality etc in LittleWallOButtons, it would probably be possible to steal the cookie of the admin user thus gaining access to the control panel. There’s not as much info on the ‘net about CSRF as there is XSS, but it’s there all the same. Suggested reading: http://www.tux.org/~peterw/csrf.txt I sent you more links via e-mail, some interesting reading for sure!

  16. Chris Allen says: June 19, 2007 at 8:15 am # ·

    Thanks for the tips! I’m very glad that I do not use any of these scripts though! :)

  17. Donnie says: June 19, 2007 at 4:22 pm # ·

    Jem, I e-mail my reply. I don’t “think” the problem lies with LittleWallOButtons; however, if Lirae stripped the query string off of the URL, the example attack I gave in the e-mail would be difficult to execute unless an admin/control panel uses SEO friendly URLs (most don’t however).

  18. Louise says: June 20, 2007 at 2:26 am # ·

    Just wondering what are the insecurities of using scripts such as Cutenews?