More Insecure Scripts
As well as updating my Unsafe Scripts page to give more clarification about which scripts are bad and which are not (with funky icons!) I have also added two new brief reviews…
Link Up Free
Link Up Free is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation.
LittleWallOButtons
Although some effort has been made to make the script secure by using basic sanitisation, those with more advanced PHP knowledge may be able to create a malicious PHP file and give it an image extension (.gif, .jpg, etc). By linking to this dodgy file as the button URL we can bypass the extension checking and execute PHP code (much like a CAPTCHA).
Be secure people, be secure!
Jun 18th, 07 @ 22:09 
![[feed]](/images/feed.gif)
Oh I’m glad I don’t use these scripts… The only scripts I use are phpaskit and fanupdate… tell me they’re secure! please?
Did you get my email with the Button Board code? If you did and haven’t gotten around to it, I’m not rushing
You’re too awesome.
Never heard of those two scripts. I’m safe.
I’ve only ever used Waks A&A before and since no one asked me anything, I got rid of it. That was before I found out it was insecure. The only script or tool I use now is WordPress. Luckily you’re always on top when it comes to educating the web about insecure scripts!
Thank goodness for you, Jem… or, I would probably be filling my sites with bad scripts… wait, I’m not currently using any! DUH! Oh well, that page is great for future reference.
Never heard of those scripts, so I’m good.
I never heard of those scripts, luckily. Way to go Jem.
Still no safe alternative to SimpleDir?
Jem, in the case of LittleWallOButtons, how does linking to an invalid image via the XHTML img tag make the user of the script susceptible to any attacks? If it isn’t a valid image and if it is indeed a “dodgy file”, the file will be executed on the wanna be attacker’s server; the script it’s self will simply display a broken image. I don’t see why this deserves to be labeled as an “Insecure Scripts”.
Actually, speaking from personal experience not from the script listed, but rather having a user create an injection script and save it as an image through a support script vulnerbility, it is most definitely possible execute using this method.
Jordan, the script doesn’t upload the image; it only links to an external image.
Thanks for the inclusion of the directory scripts.
Thanks for the heads up on this, Jem.
@Donnie: It’s a form of CSRF attack - although the damage would likely be limited because there is very little functionality etc in LittleWallOButtons, it would probably be possible to steal the cookie of the admin user thus gaining access to the control panel. There’s not as much info on the ‘net about CSRF as there is XSS, but it’s there all the same. Suggested reading: http://www.tux.org/~peterw/csrf.txt I sent you more links via e-mail, some interesting reading for sure!
Thanks for the tips! I’m very glad that I do not use any of these scripts though!
Jem, I e-mail my reply. I don’t “think” the problem lies with LittleWallOButtons; however, if Lirae stripped the query string off of the URL, the example attack I gave in the e-mail would be difficult to execute unless an admin/control panel uses SEO friendly URLs (most don’t however).
Just wondering what are the insecurities of using scripts such as Cutenews?