Unsafe PHP Scripts

In my spare time I like to review free PHP scripts. This is a log of my findings.

Section skip links: Guestbooks, Fanlisting Management Scripts, FAQ/Ask & Answer Scripts, Forms/Form Mailers/Auto Forms, Directory Scripts, Miscellaneous

Guestbooks

Script skip links: Simpbook, XueBook

SimpBook

SimpBook, one of the old CodeGrrl scripts, not only contains a cross site scripting vulnerability (as with PHPFanBase/etc) but also has no validation of user input which is inserted straight into the database. This means that anyone can insert JavaScript, PHP, HTML, into the database which can be used to interfere with the script and wipe your databases. (This can occur even when “allow HTML” is turned off in the options).

I consider this script: very insecure!

XueBook

XueBook has known SQL injection issues in index.php. The script isn’t available for download anymore and is definitely not updated, but there are still copies out there. Although this exploit requires a little more knowledge than standard lack of input code injection attacks, it’s still dodgy.
I consider this script: insecure!

Safe Alternatives

BellaBook

jump to section skip links

Fanlisting Management/Related Scripts

Script skip links: PHPFanBase, Enthusiast 3.1, phpKIM’D

PHPFanBase (all versions)

PHPFanBase, even with the publicised fixes, has SQL injection issues that an amateur could abuse because of the way unapproved members are added to the database. Although PHPFanBase can be patched with the CodeGrrl protection.php update, register_globals off fix and my updated join.php file, the script is old and it is not worth taking the risk.
I consider this script: very insecure!

Enthusiast (up to 3.0)

The early versions of Enthusiast 3 have a major flaw in the admin login code which allows anyone to manipulate the login cookie gaining immediate access (with permissions to delete entire fanlistings) as well as a lack of input validation in show_join.php — fixes however are available for both issues from the official Enthusiast site. Enth2 suffers from the same issues: do not be a stubborn arse, upgrade to the latest version.
I consider this script: insecure!

phpKIM’d

phpKIM’d, based on the insecure PHPFanBase, is more seriously flawed than the original code. My PHPFanBase join fix is half-heartedly applied to join.php with not a word of thanks (gotta love working my ass off for nothing) but is only made more irritating by the fact that it hasn’t been done properly: the clean_up() function has been applied to the $_POST data but instead of the clean new variables being sent via mail, the $_POST data is still being used. This allows all sorts of meta/header injection business to go on in the e-mails. The script uses a plain text cookie with the password on clear view and what’s worse: data is passed to an “$id” variable which is both checked against the database AND echoed to the browser: two major areas open to SQL injection and exploit.
I consider this script: very insecure!

Safe Alternatives

BellaBuffs, Enthusiast 3.1+
BellaBuffs can be converted into a KIM list as a replacement for phpKIM’d (if you’re into that sort of thing) by deleting the countries from the .txt file and replacing them with your list of fanlistings — ask at The Fanlistings forum for help.

jump to section skip links

FAQ/Question Scripts

Script skip links: faqtastic, Waks Ask & Answer, TinyQ&A

Faqtastic

I blogged about the issues in Faqtastic, including unsanitised input issues and a whole crapload of undeclared variable errors). Efforts have been made to fix these errors since the original entry but bugs and issues still remain
I consider this script: insecure!

Waks Ask & Answer

Waks Ask and Answer script — which (sadly enough) is being redistributed by several hundred people — is known by many to be insecure. The script has uncleaned data passed to the form via the $_GET superglobal array (i.e. via the url which anyone can maliciously edit to inject data into files), each question is stored without any decent sanitisation and it requires a directory CHMODed to 777 which can be used to execute “hacker’s” files and is generally unsafe.
I consider this script: very insecure!

TinyQ&A

TinyQ&A seems to be plagued with similar issues to the Simpbook (no surprise, they were written by the same person). There is an attempt at sanitisation using str_replace() on < and >, but that leaves a multitude of other characters to inject and a register_globals dependant IP which I can manipulate via the script URL. The index page of the script looks like it’s open to SQL injection with no sanitisation of data being passed back and forth.
I consider this script: very insecure!

Safe Alternatives

BellaBuzz, PHPAskIt

jump to section skip links

PHP Forms/Form Mailers/Auto Forms

Script skip links: aMAILzing, PHPMailForm, DodosMail, RRmail

aMAILzing

aMAILzing — another “inexistant” script — lacks validation in all but one of the fields which gives plenty of room for mass header injection, has file upload capability but no checks which would allow multiple virus uploads and relies on register_globals. I’ve had multiple reports of people being suspended by their hosts because of the spam being sent through aMAILzing.

I consider this script: very insecure!

PHPFormMail

PHPFormMail, a stormynights.org script, is incredibly susceptible to header injection (which is how spam e-mails are sent). It has no validation of user input (not even an e-mail address regex check to verify the ‘sender’), and relies on register_globals to send the visitor IP. What makes these major blunders worse is that data is sent straight to the browser after it’s been e-mailed and you can use that as an opportunity to execute ‘dodgy’ code/etc. The stormynights scripts are old and AREN’T updated anymore, so don’t expect this or the issues in the other stormynights scripts to be fixed.
I consider this script: very insecure!

DodosMail

DodosMail (all versions) have some basic header injection protection but not enough for my liking. $_POST is checked for “Content-Type:” but strpos() is case sensitive, so one could easily use “content-type:”. What’s more, you don’t need to use Content-Type to forge headers and spam the crap out of people (just use bcc:). The e-mail address is checked for new lines, but not the name which is added to the current headers and could be exploited. The script sends data back to the browser when there’s an error without any sanitisation (which is the worst time to do so — before the data has passed all checks!)

I consider this script: insecure!

RRmail

I almost feel a bit daft for including this one as it’s less a script and more a couple of lines copied from the PHP manual. That said, the naivety of the “script” author is astounding and needs highlighting. The readme included states that the script is unsafe, and that “Forms may be sent to spam/junk boxes“. This grossly underestimates the damage that the script can do: a very basic injection of mail headers will enable the form to be used as a gateway for spam… thousands of mails a minute. This would ultimately, where mail is reported as spam, cause the originating server to be blacklisted affecting every person on it.
I consider this script: very insecure!

Safe Alternatives

Secure PHP mail form, NL-PHPMail

jump to section skip links

Directories/Clique Scripts

Script skip links: SimpleDir, Link Up Free, TCG Admin

SimpleDir

Ouch. When I was first asked about SimpleDir I took a quick look and thought “hmm, some possibility for SQL injection perhaps”. I quickly took it all back: there is definite SQL injection possibilities. The page add.php not only SELECTs data from the database using non-sanitised data, but it INSERTs the data with no checks, no strip_tags, no empty field warnings. Of all the scripts I have reviewed for this post this script is one of the worst. It’s no wonder people are constantly complaining about being spammed using SimpleDir: the fact is they’re lucky they haven’t been hacked.
I consider this script: very insecure!

Link Up Free

Link Up Free (and I guess the paid version, which is apparently identical) is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation. However, more worrying is rate.php which passes $_POST data straight to the database and is easier to manipulate by beginner script kiddies.

I consider this script: very insecure!

TCG Admin (early version)

This script is absolutely awful in terms of security. Just like SimpleDir it has multiple SQL injection vulnerabilities, no data validation of any sort and relies on register_globals to INSERT data in join.php. Another major issue is the insertion of an unsanitised e-mail directly into e-mail headers: hugely insecure and incredibly easy for spammers to exploit.
I consider this script: very insecure!

Safe Alternatives

NinjaLinks

jump to section skip links

Miscellaneous

Script skip links: OhNo!, Domesticat’s skinning tutorial, Cutenews

OhNo! 2.1

OhNo! the trouble checking script has the same login issue as Enthusiast 3.0 which allows people to log in without knowing your password. OhNo! 2.2 and 2.3 fixes the core issue rendering the script much more secure, but have a static salt which is virtually useless in cookie theft situations.
I consider this script: insecure!

Domesticat skinning tutorial

The Domesticat skinning script/snippet that is so commonly redistributed has a couple of issues (not security related, but worth mentioning nonetheless): $_REQUEST should be replaced with $_GET/$_COOKIE and the three lots of setcookie() aren’t needed (you can safely delete the first two). The second $skin=$newskin; is also redundant and can be removed.

Cutenews

Cutenews is by far the worst script I have ever had the misfortune of downloading. It has more holes than a pair of fishnet stockings. If you like multiple cross-site scripting vulnerabilities that have been published all over the Internet, or fancy getting your pages injected with PHP and other malicious code, then download Cutenews today! I’m kidding; no, really, do yourself and your server a favour and stay as far away from Cutenews as possible.
I consider this script: more holey than the bible!

jump to section skip links

Disclaimer

Note: by providing links to what I consider “safe alternatives” I am by no means implying that these scripts do not have issues, or will never have security problems of their own. New bugs are being found all the time. The difference between a crap script and a good script is down to the coder/developer — if they’re not willing to protect their users as much as possible by updating the scripts whenever issues are found, then their scripts are obviously crap. That said, just because a script isn’t here doesn’t automatically make it safe to use. *insert legal mumbo jumbo about liability/etc here*

Posted on: May 13, 2007 · Category: Interwebs

Beginner’s Guide to PHP – Part Two

Let’s have a quick re-cap of what we covered in Beginner’s Guide to PHP – Part One: there are different data types (string, integer, floating point number and boolean) and variables are created by simply assigning data to them. Simple enough? Well, now we’re going to take a look at mathematical operators and what we can do with them…

Mathematical Operators

‘Operator’ is the term used to cover various fancy symbols that we use to do stuff in PHP. (Nicely vague, right?) That is, we can use them to add integers, compare variable values, etc.. Easiest to understand are the mathematical operators — these are the kind you’re used to seeing on a calculator — and are as follows:

+ Used to add two integers (numbers) together
- Used to subtract a number from another
* Used to multiply two numbers together
/ Used to divide a number from another
% Used to find the remainder after two numbers are divided from each other

At the end of Part One we also assigned data to two variables, like so:

<?php
    $name = "Jem";  // this is a string
    $age = 20;  // this is an integer
?>

(Those of you who are really clever will have also noticed that I demonstrated a type of PHP comment without explaining what they were, but let’s not pick on the inconsistencies… I’ll cover PHP comments later on, when I figure out where to incorporate them. Anyway…)

We can use the $age variable we created to test our mathematical operators. Firstly, ‘+’, because I’m not 20 anymore, so we’ll want to add a year (how convenient). There are two ways to do this, and which method you choose depends on whether or not you want to retain the original value. For example, if you want to keep $age as 20 and want a new variable to store our new age, we can do this like so:

<?php
    $name = "Jem";  // this is a string
    $age = 20;  // this is an integer
    $newAge = $age + 1;  // this is our age (20), plus 1 year
?>

Here we are adding 1 to our original variable. Of course, we don’t need a new variable, so we might as well just add to straight to our $age variable:

<?php
    $name = "Jem";  // this is a string
    $age = 20 + 1;  // this is an integer
?>

In reality, we all know that 20 + 1 is 21 and getting PHP to do this mundane task is a bit boring. However, it’s good to understand that it’s possible to do your maths homework with a script. The other mathematical operators work in the same way: $age = 20 * 5; would assign the value of 20 * 5 (which is 100) to our $age variable and so on.

Once you’ve created your variables and done some maths magic, you might want to display those variables to the browser. This is where the echo statement comes in handy. (There is also print, but the echo vs. print debate is long, and I use echo out of habit.)

echo Statement

echo is what’s known as a simple statement. We use it to output everything inside the single or double quotation marks (…getting to that bit) or using the “here document” syntax. The contents an echo statement can span multiple lines and use infinite amounts of whitespace. BUT, the statement needs to end with a semi-colon (much like assigning variables) otherwise you get a parse error.

As I said, the contents that we want to output needs to be inside quotation marks. What you use depends on the affect you want. For example, double quotation marks will output everything — and — if there’s a variable in the string you’re trying to echo it will show the value of the variable (e.g. <?php echo "Hello $name"; ?> will output Hello Jem). However, if you use single quotation marks, you must ‘break out’ to echo a variable, otherwise all you will see is the variable name (e.g. <?php echo 'Hello $name'; ?> will output Hello $name).

Alternative to the quotation marks is the aforementioned “here document” syntax. As the PHP manual has a very good block of echo examples, I’m not going to repeat the information unnecessarily — see example 2298, echo().

Now that we’ve come to grips with echo and mathematical operators we can use the two to create a string of text, and output it to our browser. 

<?php
    $name = "Jem";  // this is a string
    $age = 20 + 1;  // this is an integer
    echo "
My name is $name and my new age is $age
";
?>

Assuming you’ve copied that into a .php file and your server supports PHP as we discussed in Part One, you should see My name is Jem and my new age is 21. Magic — our first little script that outputs data to the browser.

In Part Three I will cover the other types of Operators and how they can be used (and hopefully not take 6 months to do it!)

This article is part of the PHP Beginner’s Guide series. See all parts:

Posted on: April 11, 2007 · Category: Interwebs, PHP

What is UP with WordPress?

I’ve tried to comment on about 12-15 blogs this past couple of days. All using WordPress, all ATE my comment. Not literally ate, but put me into moderation each time. It’s beginning to get really bloody irritating, because I know for a fact that I have commented on all of these sites many times before.

I can only assume that each of these people have upgraded to the latest version of WordPress and there is some change in the code that forces people who haven’t commented since the upgrade to be placed in the queue. The really irritating thing is that I can pinpoint several blogs on which my comments have been approved and yet my newer comments are STILL ending up in moderation.

The part that is most infuriating is that WordPress doesn’t have a “comment confirmed” page, or any sort of notice that verifies that a comment has actually gone through (because most people edit out the line that displays “Your comment is in moderation”). That leaves me sitting here wondering if it is patiently waiting in the database, or if my series of carefully placed letters and characters have been sucked into the vacuum that is cyberspace.

If you use WordPress, please check your moderation queue!

Blame Canada Akismet

Update (4th March): Several people have come back to me blaming Akismet (saying that my comments have ended up in the Akismet queue, or deleted altogether). So, as an amendment to the last line of my unedited entry: if you use WordPress and Akismet, please check your Akismet moderation queue.

Apparently, I’m not the only one that’s had this problem. I’d therefore appreciate it if everyone could mark me not spam, to ‘re-teach’ Akismet. If you have a blog that you’re protecting with Akismet, let me know and I’ll leave you a comment — you can then do me the favour of de-spamming me.

The de-spamming process can take up to a day, according to the Akismet FAQ.. but the more mistakes that are marked, the better chance I have of being allowed to leave a comment normally again. That said, if this is someone playing stupid games with me and deliberately marking me as spam to try and inconvenience me: the only people you’re inconveniencing is yourselves. It’ll be no skin off my nose if I simply have to stop commenting on blogs; I won’t be losing out.

Update (5th March): “Re-teaching” Akismet seemed to achieve nothing, but I sent an e-mail to the Akismet guys this morning and have checked just (5:45pm) and am able to comment again. Hoorah.

Posted on: March 3, 2007 · Category: Interwebs

Conquering the World, Script by Script

Sometimes I wonder if I take on too much because I am paranoid about letting people down (irrelevant of who they are). I can’t decide if this is an ego thing (i.e. must prove I can do this, must show my skill) or an inbuilt desire to prove that I am actually a nice, helpful person and that my lack of tact and bitchiness is not always intentional.

Maybe I am just too much of a perfectionist and can’t stand the idea of someone else doing it ‘not quite right’… (now that is an ego thing.)

That slightly ‘deep’ ramble is inspired by the fact that — despite being surrounded by work scripts/projects, other people’s scripts, q*bee projects, my scripts (old and new), reviews etc — I am still considering re-writing my weblog/CMS in the next couple of months. It is almost two years old, after all. The poor girl is barely holding up under the strain caused by the massive amount of love, appreciation and comments I get ;)

I think I like being under pressure.

Posted on: February 21, 2007 · Category: Updates

You Know You’re a Geek When…

…you create a PHP script to parse your telephone bills because you can’t be bothered to install suitable software to deal with .csv files.

phone bill

(If anyone wants that code btw, let me know and I’ll hook you up. It’s designed to parse BT phone bills in .csv format with colour coding depending on the incoming call ‘type’.)

BellaBook 3.4 is up. The upgrade process is simple — and the same as always — download the new version, delete the .txt files, re-customise config.php and upload over the top of your old stuff. Installation is similar only minus the deleting .txt files bit.

Will probably update this entry with more crap later.. going to eat my mashed potatoes and sausages now :9 PS. Please send particularly bad sites for Pants Awards/review nominations, I seem to have lost most of the ones I had.

Update (16th Feb): I’ve updated my Unsafe Scripts entry to include SimpleDir. Do not use this script, for the love of all that is geeky.

Posted on: February 15, 2007 · Category: Geek, PHP