Another Hack on Third-party Script
November 22, 2008 Posted by KP
PHPClassifieds 7.5 has a SQL injection vulnerability, the detailed how-to was posted publicly, which caused many classifieds websites hacked. The fix is here.
Other scripts on my server have been hacked too before, such as phpBB and AwStats, this is probably the only security problem happened to many servers. This makes me wondering what’s the best way to prevent such hacks.
When I write my own scripts, I always protect the directory if possible, also protected AwStats after it’s hacked, but never used it on scripts until they had problems. Many third-party scripts put all admin-related files into a directory, they are only used by the webmaster, it’s obviously much more secure to password protect this directory. Why don’t we do it since the beginning? So I went ahead and did this for all applicable websites on my server.
Related Posts:
- phpBB Hack
- Urgent Security Warning for WordPress
- Apache Error Log File
- Protect Directory
- Install Awstats 6.5 Without Ports
- Httpd Exited on Signal 11 – Caused by Buggy Script
- vBulletin Forum Hack
- Arbitrary Code Execution Vulnerability in Awstats 6.4
Filed Under: Security
December 13th, 2008 at 11:02 am
In my experience, 99% of hacks I see these days are due to old scripts. Who needs to penetrate a user account on a system when they can upload a web shell, upload a script and run it as the web user? There are plenty of juicy things you can do on a system without root.