More Insecure Scripts
As well as updating my Unsafe Scripts page to give more clarification about which scripts are bad and which are not (with funky icons!) I have also added two new brief reviews…
Link Up Free
Link Up Free is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation.
LittleWallOButtons
Although some effort has been made to make the script secure by using basic sanitisation, those with more advanced PHP knowledge may be able to create a malicious PHP file and give it an image extension (.gif, .jpg, etc). By linking to this dodgy file as the button URL we can bypass the extension checking and execute PHP code (much like a CAPTCHA).(Unable to execute a proof of concept; see On Being Wrong)
Be secure people, be secure!
Rachael said:
On 18 Jun at 9:32 pm
Oh I’m glad I don’t use these scripts… The only scripts I use are phpaskit and fanupdate… tell me they’re secure! please?
Bubs said:
On 18 Jun at 9:41 pm
Did you get my email with the Button Board code? If you did and haven’t gotten around to it, I’m not rushing :)
Chrissy said:
On 18 Jun at 10:09 pm
You’re too awesome. :)
Amanda said:
On 18 Jun at 10:34 pm
Never heard of those two scripts. I’m safe. :P
Aaron said:
On 18 Jun at 11:53 pm
I’ve only ever used Waks A&A before and since no one asked me anything, I got rid of it. That was before I found out it was insecure. The only script or tool I use now is WordPress. Luckily you’re always on top when it comes to educating the web about insecure scripts!
Sara said:
On 19 Jun at 12:38 am
Thank goodness for you, Jem… or, I would probably be filling my sites with bad scripts… wait, I’m not currently using any! DUH! Oh well, that page is great for future reference. :D
Darren said:
On 19 Jun at 1:02 am
Never heard of those scripts, so I’m good. :)
Jessica said:
On 19 Jun at 3:06 am
I never heard of those scripts, luckily. Way to go Jem. :)
Nyx said:
On 19 Jun at 3:44 am
Still no safe alternative to SimpleDir? :(
Donnie said:
On 19 Jun at 4:34 am
Jem, in the case of LittleWallOButtons, how does linking to an invalid image via the XHTML img tag make the user of the script susceptible to any attacks? If it isn’t a valid image and if it is indeed a “dodgy file”, the file will be executed on the wanna be attacker’s server; the script it’s self will simply display a broken image. I don’t see why this deserves to be labeled as an “Insecure Scripts”.
Jordan said:
On 19 Jun at 4:43 am
Actually, speaking from personal experience not from the script listed, but rather having a user create an injection script and save it as an image through a support script vulnerbility, it is most definitely possible execute using this method.
Donnie said:
On 19 Jun at 4:56 am
Jordan, the script doesn’t upload the image; it only links to an external image.
Amber said:
On 19 Jun at 5:56 am
Thanks for the inclusion of the directory scripts. :)
Tanya said:
On 19 Jun at 7:25 am
Thanks for the heads up on this, Jem.
Jem said:
On 19 Jun at 7:55 am
@Donnie: It’s a form of CSRF attack – although the damage would likely be limited because there is very little functionality etc in LittleWallOButtons, it would probably be possible to steal the cookie of the admin user thus gaining access to the control panel. There’s not as much info on the ‘net about CSRF as there is XSS, but it’s there all the same. Suggested reading: http://www.tux.org/~peterw/csrf.txt I sent you more links via e-mail, some interesting reading for sure!
Chris Allen said:
On 19 Jun at 8:15 am
Thanks for the tips! I’m very glad that I do not use any of these scripts though! :)
Donnie said:
On 19 Jun at 4:22 pm
Jem, I e-mail my reply. I don’t “think” the problem lies with LittleWallOButtons; however, if Lirae stripped the query string off of the URL, the example attack I gave in the e-mail would be difficult to execute unless an admin/control panel uses SEO friendly URLs (most don’t however).
Louise said:
On 20 Jun at 2:26 am
Just wondering what are the insecurities of using scripts such as Cutenews?