In my spare time I like to review free PHP scripts. This is a log of my findings.
Section skip links: Guestbooks, Fanlisting Management Scripts, FAQ/Ask & Answer Scripts, Forms/Form Mailers/Auto Forms, Directory Scripts, Miscellaneous
Guestbooks
Script skip links: Simpbook, XueBook
SimpBook
SimpBook, one of the old CodeGrrl scripts, not only contains a cross site scripting vulnerability (as with PHPFanBase/etc) but also has no validation of user input which is inserted straight into the database. This means that anyone can insert JavaScript, PHP, HTML, into the database which can be used to interfere with the script and wipe your databases. (This can occur even when “allow HTML” is turned off in the options).
I consider this script: very insecure!
XueBook
XueBook has known SQL injection issues in index.php. The script isn’t available for download anymore and is definitely not updated, but there are still copies out there. Although this exploit requires a little more knowledge than standard lack of input code injection attacks, it’s still dodgy.
I consider this script: insecure!
Safe Alternatives
Fanlisting Management/Related Scripts
Script skip links: PHPFanBase, Enthusiast 3.1, phpKIM’D
PHPFanBase (all versions)
PHPFanBase, even with the publicised fixes, has SQL injection issues that an amateur could abuse because of the way unapproved members are added to the database. Although PHPFanBase can be patched with the CodeGrrl protection.php update, register_globals off fix and my updated join.php file, the script is old and it is not worth taking the risk.
I consider this script: very insecure!
Enthusiast (up to 3.0)
The early versions of Enthusiast 3 have a major flaw in the admin login code which allows anyone to manipulate the login cookie gaining immediate access (with permissions to delete entire fanlistings) as well as a lack of input validation in show_join.php — fixes however are available for both issues from the official Enthusiast site. Enth2 suffers from the same issues: do not be a stubborn arse, upgrade to the latest version.
I consider this script: insecure!
phpKIM’d
phpKIM’d, based on the insecure PHPFanBase, is more seriously flawed than the original code. My PHPFanBase join fix is half-heartedly applied to join.php with not a word of thanks (gotta love working my ass off for nothing) but is only made more irritating by the fact that it hasn’t been done properly: the clean_up() function has been applied to the $_POST data but instead of the clean new variables being sent via mail, the $_POST data is still being used. This allows all sorts of meta/header injection business to go on in the e-mails. The script uses a plain text cookie with the password on clear view and what’s worse: data is passed to an “$id” variable which is both checked against the database AND echoed to the browser: two major areas open to SQL injection and exploit.
I consider this script: very insecure!
Safe Alternatives
BellaBuffs, Enthusiast 3.1+
BellaBuffs can be converted into a KIM list as a replacement for phpKIM’d (if you’re into that sort of thing) by deleting the countries from the .txt file and replacing them with your list of fanlistings — ask at The Fanlistings forum for help.
FAQ/Question Scripts
Script skip links: faqtastic, Waks Ask & Answer, TinyQ&A
Faqtastic
I blogged about the issues in Faqtastic, including unsanitised input issues and a whole crapload of undeclared variable errors). Efforts have been made to fix these errors since the original entry but bugs and issues still remain
I consider this script: insecure!
Waks Ask & Answer
Waks Ask and Answer script — which (sadly enough) is being redistributed by several hundred people — is known by many to be insecure. The script has uncleaned data passed to the form via the $_GET superglobal array (i.e. via the url which anyone can maliciously edit to inject data into files), each question is stored without any decent sanitisation and it requires a directory CHMODed to 777 which can be used to execute “hacker’s” files and is generally unsafe.
I consider this script: very insecure!
TinyQ&A
TinyQ&A seems to be plagued with similar issues to the Simpbook (no surprise, they were written by the same person). There is an attempt at sanitisation using str_replace() on < and >, but that leaves a multitude of other characters to inject and a register_globals dependant IP which I can manipulate via the script URL. The index page of the script looks like it’s open to SQL injection with no sanitisation of data being passed back and forth.
I consider this script: very insecure!
Safe Alternatives
PHP Forms/Form Mailers/Auto Forms
Script skip links: aMAILzing, PHPMailForm, DodosMail, RRmail
aMAILzing
aMAILzing — another “inexistant” script — lacks validation in all but one of the fields which gives plenty of room for mass header injection, has file upload capability but no checks which would allow multiple virus uploads and relies on register_globals. I’ve had multiple reports of people being suspended by their hosts because of the spam being sent through aMAILzing.
I consider this script: very insecure!
PHPFormMail
PHPFormMail, a stormynights.org script, is incredibly susceptible to header injection (which is how spam e-mails are sent). It has no validation of user input (not even an e-mail address regex check to verify the ‘sender’), and relies on register_globals to send the visitor IP. What makes these major blunders worse is that data is sent straight to the browser after it’s been e-mailed and you can use that as an opportunity to execute ‘dodgy’ code/etc. The stormynights scripts are old and AREN’T updated anymore, so don’t expect this or the issues in the other stormynights scripts to be fixed.
I consider this script: very insecure!
DodosMail
DodosMail (all versions) have some basic header injection protection but not enough for my liking. $_POST is checked for “Content-Type:” but strpos() is case sensitive, so one could easily use “content-type:”. What’s more, you don’t need to use Content-Type to forge headers and spam the crap out of people (just use bcc:). The e-mail address is checked for new lines, but not the name which is added to the current headers and could be exploited. The script sends data back to the browser when there’s an error without any sanitisation (which is the worst time to do so — before the data has passed all checks!)
I consider this script: insecure!
RRmail
I almost feel a bit daft for including this one as it’s less a script and more a couple of lines copied from the PHP manual. That said, the naivety of the “script” author is astounding and needs highlighting. The readme included states that the script is unsafe, and that “Forms may be sent to spam/junk boxes
“. This grossly underestimates the damage that the script can do: a very basic injection of mail headers will enable the form to be used as a gateway for spam… thousands of mails a minute. This would ultimately, where mail is reported as spam, cause the originating server to be blacklisted affecting every person on it.
I consider this script: very insecure!
Safe Alternatives
Secure PHP mail form, NL-PHPMail
Directories/Clique Scripts
Script skip links: SimpleDir, Link Up Free, TCG Admin
SimpleDir
Ouch. When I was first asked about SimpleDir I took a quick look and thought “hmm, some possibility for SQL injection perhaps”. I quickly took it all back: there is definite SQL injection possibilities. The page add.php not only SELECTs data from the database using non-sanitised data, but it INSERTs the data with no checks, no strip_tags, no empty field warnings. Of all the scripts I have reviewed for this post this script is one of the worst. It’s no wonder people are constantly complaining about being spammed using SimpleDir: the fact is they’re lucky they haven’t been hacked.
I consider this script: very insecure!
Link Up Free
Link Up Free (and I guess the paid version, which is apparently identical) is susceptible to more complex SQL injection through the search box, executing any code that is entered due to a lack of sanitisation. However, more worrying is rate.php which passes $_POST data straight to the database and is easier to manipulate by beginner script kiddies.
I consider this script: very insecure!
TCG Admin (early version)
This script is absolutely awful in terms of security. Just like SimpleDir it has multiple SQL injection vulnerabilities, no data validation of any sort and relies on register_globals to INSERT data in join.php. Another major issue is the insertion of an unsanitised e-mail directly into e-mail headers: hugely insecure and incredibly easy for spammers to exploit.
I consider this script: very insecure!
Safe Alternatives
Miscellaneous
Script skip links: OhNo!, Domesticat’s skinning tutorial, Cutenews
OhNo! 2.1
OhNo! the trouble checking script has the same login issue as Enthusiast 3.0 which allows people to log in without knowing your password. OhNo! 2.2 and 2.3 fixes the core issue rendering the script much more secure, but have a static salt which is virtually useless in cookie theft situations.
I consider this script: insecure!
Domesticat skinning tutorial
The Domesticat skinning script/snippet that is so commonly redistributed has a couple of issues (not security related, but worth mentioning nonetheless): $_REQUEST should be replaced with $_GET/$_COOKIE and the three lots of setcookie() aren’t needed (you can safely delete the first two). The second $skin=$newskin; is also redundant and can be removed.
Cutenews
Cutenews is by far the worst script I have ever had the misfortune of downloading. It has more holes than a pair of fishnet stockings. If you like multiple cross-site scripting vulnerabilities that have been published all over the Internet, or fancy getting your pages injected with PHP and other malicious code, then download Cutenews today! I’m kidding; no, really, do yourself and your server a favour and stay as far away from Cutenews as possible.
I consider this script: more holey than the bible!
Disclaimer
Note: by providing links to what I consider “safe alternatives” I am by no means implying that these scripts do not have issues, or will never have security problems of their own. New bugs are being found all the time. The difference between a crap script and a good script is down to the coder/developer — if they’re not willing to protect their users as much as possible by updating the scripts whenever issues are found, then their scripts are obviously crap. That said, just because a script isn’t here doesn’t automatically make it safe to use. *insert legal mumbo jumbo about liability/etc here*
0 Comments
1 Pingback