Scripts Security Risk

If you’re using FA-PHPHosting, PHPClique, PHPCalendar, PHPCurrently, PHPFanBase or PHPQuotes there’s security risks that need to be addressed. You can find more information on Amelie’s website.

I knew I spotted something dodgy with phpFanBase about mid-October, when I spent so much time staring at it helping Ang.nu to convert. I e-mailed the creator and never got a response.. I discovered yesterday it was because it didn’t get delivered. No idea why.

I feel so, so sorry for the ladies at CodeGrrl. I remember how I felt with the whole BellaBook1 fiasco (my fault for releasing a script before I had finished it). I was the only person “damaged”, if I remember right, and I felt like shit for putting people at risk… there are hundreds of people use CG scripts so they must feel hundreds of times worse.

I’m going for a lie down, I feel ever so dodgy today.

11 comments so far

  1. Aneesah said:
    On 17 Nov at 11:23 am

    Ah, first time I’ve seen these two new themes! I have to love the Silhouette, I will always like sunset/sunrise pictures where the foreground is (almost) black. Beautiful. I happen to be lucky and haven’t used any of those scripts. Everybody makes mistakes, though. Hope you had a good lie down. It’s 12:23 am here anyway.

  2. Rosemarie said:
    On 17 Nov at 11:38 am

    Yeah, I haven’t used them either, although recently I’ve been reading up on php security and going, “oh my god, I’m screwed if anyone heads my way.” Well, maybe not. I don’t use a lot of php extras, but a couple… Actually, I’m gonna go fix that now! see ya :P

  3. Meggan said:
    On 17 Nov at 12:12 pm

    Thanks so much for letting me know, Jem. It turned out to be PHPquotes that was the culprit. I’ve fixed it now.

  4. Amelie said:
    On 17 Nov at 1:35 pm

    Yeah, we’re having a bit of a nightmare over at CG. I and some other CG staffers said a while ago that we should change them, but none of the original developers were available. It’s sad that it has to come to this for people to realise there’s a problem. As for the fix posted on the forums, I was PMed by Vikki saying it didn’t really work. I suggest you use the fix I posted on my site or in the bugs thread on CG, it’s a bit more secure.

  5. Heather said:
    On 17 Nov at 4:54 pm

    I’ve updated my scripts, thanks for putting the word out. I’ve got PHPFanbase installed for all of my fanlistings :S It would have been quite scary for all of them to get hacked…

  6. Nikki-ann said:
    On 17 Nov at 6:31 pm

    I hope you feel better soon! :) Take care.

  7. kachii said:
    On 18 Nov at 4:43 am

    Bugs and exploits are found in scripts every day. I don’t think that anyone is particularly to blame, it’s easy to make such mistakes. I don’t use any of those scripts, though. XD

  8. Gemma said:
    On 18 Nov at 5:45 am

    I’ve been a bit alarmed by all this, since I’m pretty ignorant about script security, and probably unaware of ways in which my own scripts could probably be attacked by a determined hacker. Fortunately, they’re probably too obscure for anyone to care – unless the PHPFanBase incidents prompt anyone to switch over :). I need to read up about securing ASP.

  9. Anne said:
    On 18 Nov at 9:27 am

    I’m using PHPQuotes…like Gemma above…I’m pretty ignorant about script security. What can I do to fix it?

  10. Jem said:
    On 18 Nov at 9:29 am

    Follow the link I posted: http://not-noticeably.net/home/?p=220 ..that tells you what to do :)

  11. Anne said:
    On 19 Nov at 7:07 pm

    THANKS!!!