Frozen Midnight: Defrauding Customers

On the 2nd of July (this year) a friend of mine received an e-mail from “Frozen Midnight, LLC” hosting. The e-mail contained threats of legal action and the involvement of local law enforcement because my friend’s account had apparently been caught breaking the Frozen Midnight terms of service. In a fluster, my friend agreed to pay a set price each month providing FM could prove that there had been malicious activity from the account concerned. At the same time, she posted a public cry for help because this was not something that had happened to her before.

After some delay FM got back in touch with some PDFs, claiming that my friend owed them hundreds of dollars, that she must reply within 3 days and pay within 3 months. However, upon closer inspection of the PDFs it seemed that while — yes, one of FM‘s servers had been used to execute a DoS attack (amongst other things) — the server IP that my friend was originally on did not correspond with the IP of the exploited server or show any connection whatsoever.

Now, at the time this incident occurred FM didn’t actually have any policies which place liability in the hands of their clients in the case of unintentional damage, so even if the evidence against my friend had supported FMs wacky claims, they’d be clutching at straws to try and do anything about it. Furthermore, FM‘s existing Terms of Service policy states that they are in fact an “Inc” rather than an “LLC”, but there seems to be no mention of FM in any official online business databases. This is not a surprise when you consider that the owner is one ‘Jamie Timbre’; a high school junior aged only 171.

In preparation for the dispute of FM‘s accusations, my friend’s new host (and knowledgeable aide) discovered further evidence claims against other FM customers. One young woman from the UK is being charged $267.84 for “phishing” despite — to her knowledge — running “only a personal blog site with [her] photoshop icons, banners etc.” blissfully unaware of what phishing even is!2 Her e-mails to FM have gone ignored, left unable to contact anyone because of the cost of international phone calls.

During my own research, I uncovered an old thread at The Fanlistings forum where another FM customer was accused of sending “over 1000 emails” and given a bill of $98.643, as well as another thread from earlier this year where several customers had paid for goods (hosting, domains, etc) that they had to wait weeks to receive (or in some cases, didn’t receive at all)4 and this delay was simply to hold them past the 30-day money back guarantee period. Other customers are constantly complaining about MySQL downtime causing massive data loss and site-wide errors. Elsewhere, one customer was charged $81 for uploading illegal material despite having submitted repeated support requests because she couldn’t access her FTP5 and in the same thread another mentions her bill of $300 for phishing and DDoS attacks against their server despite also not having access to her account.

The evidence is mounting up, showing repeated threats of prosecution and demands for large sums of money and yet with no proof to back it up it seems very likely to me that these claims are nothing more than fraudulent. My advice: if you’re a FM customer, move your hosting to someone more reliable. If you’re not, consider yourself lucky and DO NOT under any circumstances take on their services. If you’ve been accused of anything by Frozen Midnight LLC/Frozen Midnight Inc feel free to get in touch (jem@jemjabella.co.uk) and I’ll forward your details on to someone who can help.

Sources

Other Complaints

Update: This post has a follow-up, Follow-up on Frozen Midnight, which is also worth reading.

Posted on: July 13, 2007 · Category: Interwebs

More Insecure Scripts

As well as updating my Unsafe Scripts page to give more clarification about which scripts are bad and which are not (with funky icons!) I have also added two new brief reviews…

Link Up Free
Link Up Free is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation.

LittleWallOButtons
Although some effort has been made to make the script secure by using basic sanitisation, those with more advanced PHP knowledge may be able to create a malicious PHP file and give it an image extension (.gif, .jpg, etc). By linking to this dodgy file as the button URL we can bypass the extension checking and execute PHP code (much like a CAPTCHA). (Unable to execute a proof of concept; see On Being Wrong)

Be secure people, be secure!

Posted on: June 18, 2007 · Category: Interwebs

DreamHost Security Breach

As you may or may not have heard, there was a recent security breach at DreamHost affecting roughly 3,500 accounts (and they were just the ones they admitted to). I don’t know the exact details of the hows and whys, but I do know that the most common ‘side effect’ is that people are finding iframes and dodgy spam links inserted into their index.php and index.htm documents.

You can find more about this at the DreamHost status blog, but I’d recommend taking heed of the following advice even if you’re hosted elsewhere.

  • Change all of your passwords regularly, make them long and make them random. At least 8 characters with both numbers and letters.
  • Keep an eye on your files. I’m not expecting you to have an in depth knowledge of all of the code in the scripts that you use but I don’t know of any script that randomly inserts spam links into your pages.
  • Upgrade your scripts! Jesus christ, I cannot repeat this enough. UPGRADE. UPGRADE. UPGRADE.
  • If you can’t tell if your script is secure or not, Google it. How hard is it to type in to Google “[script name] secure” or “[script name] exploits”? Not very. I have no sympathy for people who’re using insecure scripts when they already know they’re insecure.

Like I said, please listen to me even if you don’t use DreamHost. Even I’m paranoid right now and I know what I’m doing… (Usually.)

Posted on: June 7, 2007 · Category: Interwebs

Unsafe PHP Scripts

In my spare time I like to review free PHP scripts. This is a log of my findings.

Section skip links: Guestbooks, Fanlisting Management Scripts, FAQ/Ask & Answer Scripts, Forms/Form Mailers/Auto Forms, Directory Scripts, Miscellaneous

Guestbooks

Script skip links: Simpbook, XueBook

SimpBook

SimpBook, one of the old CodeGrrl scripts, not only contains a cross site scripting vulnerability (as with PHPFanBase/etc) but also has no validation of user input which is inserted straight into the database. This means that anyone can insert JavaScript, PHP, HTML, into the database which can be used to interfere with the script and wipe your databases. (This can occur even when “allow HTML” is turned off in the options).

I consider this script: very insecure!

XueBook

XueBook has known SQL injection issues in index.php. The script isn’t available for download anymore and is definitely not updated, but there are still copies out there. Although this exploit requires a little more knowledge than standard lack of input code injection attacks, it’s still dodgy.
I consider this script: insecure!

Safe Alternatives

BellaBook

jump to section skip links

Fanlisting Management/Related Scripts

Script skip links: PHPFanBase, Enthusiast 3.1, phpKIM’D

PHPFanBase (all versions)

PHPFanBase, even with the publicised fixes, has SQL injection issues that an amateur could abuse because of the way unapproved members are added to the database. Although PHPFanBase can be patched with the CodeGrrl protection.php update, register_globals off fix and my updated join.php file, the script is old and it is not worth taking the risk.
I consider this script: very insecure!

Enthusiast (up to 3.0)

The early versions of Enthusiast 3 have a major flaw in the admin login code which allows anyone to manipulate the login cookie gaining immediate access (with permissions to delete entire fanlistings) as well as a lack of input validation in show_join.php — fixes however are available for both issues from the official Enthusiast site. Enth2 suffers from the same issues: do not be a stubborn arse, upgrade to the latest version.
I consider this script: insecure!

phpKIM’d

phpKIM’d, based on the insecure PHPFanBase, is more seriously flawed than the original code. My PHPFanBase join fix is half-heartedly applied to join.php with not a word of thanks (gotta love working my ass off for nothing) but is only made more irritating by the fact that it hasn’t been done properly: the clean_up() function has been applied to the $_POST data but instead of the clean new variables being sent via mail, the $_POST data is still being used. This allows all sorts of meta/header injection business to go on in the e-mails. The script uses a plain text cookie with the password on clear view and what’s worse: data is passed to an “$id” variable which is both checked against the database AND echoed to the browser: two major areas open to SQL injection and exploit.
I consider this script: very insecure!

Safe Alternatives

BellaBuffs, Enthusiast 3.1+
BellaBuffs can be converted into a KIM list as a replacement for phpKIM’d (if you’re into that sort of thing) by deleting the countries from the .txt file and replacing them with your list of fanlistings — ask at The Fanlistings forum for help.

jump to section skip links

FAQ/Question Scripts

Script skip links: faqtastic, Waks Ask & Answer, TinyQ&A

Faqtastic

I blogged about the issues in Faqtastic, including unsanitised input issues and a whole crapload of undeclared variable errors). Efforts have been made to fix these errors since the original entry but bugs and issues still remain
I consider this script: insecure!

Waks Ask & Answer

Waks Ask and Answer script — which (sadly enough) is being redistributed by several hundred people — is known by many to be insecure. The script has uncleaned data passed to the form via the $_GET superglobal array (i.e. via the url which anyone can maliciously edit to inject data into files), each question is stored without any decent sanitisation and it requires a directory CHMODed to 777 which can be used to execute “hacker’s” files and is generally unsafe.
I consider this script: very insecure!

TinyQ&A

TinyQ&A seems to be plagued with similar issues to the Simpbook (no surprise, they were written by the same person). There is an attempt at sanitisation using str_replace() on < and >, but that leaves a multitude of other characters to inject and a register_globals dependant IP which I can manipulate via the script URL. The index page of the script looks like it’s open to SQL injection with no sanitisation of data being passed back and forth.
I consider this script: very insecure!

Safe Alternatives

BellaBuzz, PHPAskIt

jump to section skip links

PHP Forms/Form Mailers/Auto Forms

Script skip links: aMAILzing, PHPMailForm, DodosMail, RRmail

aMAILzing

aMAILzing — another “inexistant” script — lacks validation in all but one of the fields which gives plenty of room for mass header injection, has file upload capability but no checks which would allow multiple virus uploads and relies on register_globals. I’ve had multiple reports of people being suspended by their hosts because of the spam being sent through aMAILzing.

I consider this script: very insecure!

PHPFormMail

PHPFormMail, a stormynights.org script, is incredibly susceptible to header injection (which is how spam e-mails are sent). It has no validation of user input (not even an e-mail address regex check to verify the ‘sender’), and relies on register_globals to send the visitor IP. What makes these major blunders worse is that data is sent straight to the browser after it’s been e-mailed and you can use that as an opportunity to execute ‘dodgy’ code/etc. The stormynights scripts are old and AREN’T updated anymore, so don’t expect this or the issues in the other stormynights scripts to be fixed.
I consider this script: very insecure!

DodosMail

DodosMail (all versions) have some basic header injection protection but not enough for my liking. $_POST is checked for “Content-Type:” but strpos() is case sensitive, so one could easily use “content-type:”. What’s more, you don’t need to use Content-Type to forge headers and spam the crap out of people (just use bcc:). The e-mail address is checked for new lines, but not the name which is added to the current headers and could be exploited. The script sends data back to the browser when there’s an error without any sanitisation (which is the worst time to do so — before the data has passed all checks!)

I consider this script: insecure!

RRmail

I almost feel a bit daft for including this one as it’s less a script and more a couple of lines copied from the PHP manual. That said, the naivety of the “script” author is astounding and needs highlighting. The readme included states that the script is unsafe, and that “Forms may be sent to spam/junk boxes“. This grossly underestimates the damage that the script can do: a very basic injection of mail headers will enable the form to be used as a gateway for spam… thousands of mails a minute. This would ultimately, where mail is reported as spam, cause the originating server to be blacklisted affecting every person on it.
I consider this script: very insecure!

Safe Alternatives

Secure PHP mail form, NL-PHPMail

jump to section skip links

Directories/Clique Scripts

Script skip links: SimpleDir, Link Up Free, TCG Admin

SimpleDir

Ouch. When I was first asked about SimpleDir I took a quick look and thought “hmm, some possibility for SQL injection perhaps”. I quickly took it all back: there is definite SQL injection possibilities. The page add.php not only SELECTs data from the database using non-sanitised data, but it INSERTs the data with no checks, no strip_tags, no empty field warnings. Of all the scripts I have reviewed for this post this script is one of the worst. It’s no wonder people are constantly complaining about being spammed using SimpleDir: the fact is they’re lucky they haven’t been hacked.
I consider this script: very insecure!

Link Up Free

Link Up Free (and I guess the paid version, which is apparently identical) is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation. However, more worrying is rate.php which passes $_POST data straight to the database and is easier to manipulate by beginner script kiddies.

I consider this script: very insecure!

TCG Admin (early version)

This script is absolutely awful in terms of security. Just like SimpleDir it has multiple SQL injection vulnerabilities, no data validation of any sort and relies on register_globals to INSERT data in join.php. Another major issue is the insertion of an unsanitised e-mail directly into e-mail headers: hugely insecure and incredibly easy for spammers to exploit.
I consider this script: very insecure!

Safe Alternatives

NinjaLinks

jump to section skip links

Miscellaneous

Script skip links: OhNo!, Domesticat’s skinning tutorial, Cutenews

OhNo! 2.1

OhNo! the trouble checking script has the same login issue as Enthusiast 3.0 which allows people to log in without knowing your password. OhNo! 2.2 and 2.3 fixes the core issue rendering the script much more secure, but have a static salt which is virtually useless in cookie theft situations.
I consider this script: insecure!

Domesticat skinning tutorial

The Domesticat skinning script/snippet that is so commonly redistributed has a couple of issues (not security related, but worth mentioning nonetheless): $_REQUEST should be replaced with $_GET/$_COOKIE and the three lots of setcookie() aren’t needed (you can safely delete the first two). The second $skin=$newskin; is also redundant and can be removed.

Cutenews

Cutenews is by far the worst script I have ever had the misfortune of downloading. It has more holes than a pair of fishnet stockings. If you like multiple cross-site scripting vulnerabilities that have been published all over the Internet, or fancy getting your pages injected with PHP and other malicious code, then download Cutenews today! I’m kidding; no, really, do yourself and your server a favour and stay as far away from Cutenews as possible.
I consider this script: more holey than the bible!

jump to section skip links

Disclaimer

Note: by providing links to what I consider “safe alternatives” I am by no means implying that these scripts do not have issues, or will never have security problems of their own. New bugs are being found all the time. The difference between a crap script and a good script is down to the coder/developer — if they’re not willing to protect their users as much as possible by updating the scripts whenever issues are found, then their scripts are obviously crap. That said, just because a script isn’t here doesn’t automatically make it safe to use. *insert legal mumbo jumbo about liability/etc here*

Posted on: May 13, 2007 · Category: Interwebs

What Is Too Personal?

As those of you who read my Asides (see sidebar) will have noticed, I’m in the process of re-writing some of my pages. I started with my ‘About Jem‘ section, revising the information that I display about myself. While I haven’t added or taken away any information really (simply changed the formatting), it did get me thinking on what details people do share on the Internet and whether or not they think about what they’re doing.

Generally I’m not too fussed about people knowing my full name, age, general location on the great planet we call Earth, etc… but I do draw the line at discussing my relationship in detail or sharing family business — these things are private to me and are nothing to do with other people (not that anyone would believe half of the crap that goes on in my family anyway.)

Even with this level of ‘secrecy’ (if you can call it that) I feel that sometimes I need to double check what I’m saying and remind myself that — as friendly as the majority of you are — there’s no guarantee that you aren’t all dirty old men posing as innocent teenagers through blogs and the like.

I’m not a paranoid web user and I don’t spend my time hiding behind proxies or using false names. However, I do feel that there are far too many people who aren’t giving a second thought to what they’re putting on the Internet. I worry that those who feel it’s OK to share their most intimate secrets are going to regret it at a later date. Particularly relevant when you consider that fellow blogger Rose has recently emptied her archives for the sake of her privacy.

Think before you type, is the best advice I can give.

Posted on: April 22, 2007 · Category: Interwebs