Results 1 to 4 of 4

Thread: Script security

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    5

    Default Script security

    I cannot stress how important it is to continue to update and patch your scripts as new versions are released. Lately there have been issues with phpBB and that is getting quite a few domains suspended as their security holes are allowing simply horrific activities to occur on our servers (even beginning DoS attacks on other servers). We will not tolerate this and this type of activity is very easy catch, which will result in an immediate suspension of the offending domain. Every customer is held entirely responsible for what occurs on/from their accounts.
    I'm not sure I understand the issue. Are these problems with scripts that could be installed by cpanel? Obviously the average user will consider scripts installed by the provider to be inherently "safe".

    Clearly, security issues can emerge with old versions of the scripts. If you want us to patch, update, it would be much more effective to start a new announcement thread saying: "script BLAH" has a security hole. Please update to version DUH".

    As we monitor announcements, we'd be able to remedy fast and the vague threats like:

    Every customer is held entirely responsible for what occurs on/from their accounts.
    would not be necessary.

    Thanks

  2. #2
    Senior Member Buddha's Avatar
    Join Date
    Mar 2004
    Location
    Florida USA
    Posts
    825

    Default

    SecurityFocus VULNERABILITIES

    phpBB:

    2004-11-24: PHPBB Login Form Multiple Input Validation Vulnerabilities
    2004-11-24: PHPBB Viewtopic.PHP SQL Injection Vulnerability
    2004-11-23: PHPBB Admin_cash.PHP Remote PHP File Include Vulnerability
    2004-11-22: PHPBB Remote URLDecode Input Validation Vulnerability
    2004-08-06: phpBB Login.PHP Cross-Site Scripting Vulnerability
    2004-07-19: PHPBB Search.PHP "search_author" Cross-Site Scripting Vulnerability
    2004-07-19: PHPBB Multiple HTTP Response Splitting Vulnerabilities
    2004-07-19: PHPBB Linked Avatar SQL Injection Vulnerability
    2004-07-16: PHPBB Multiple Unspecified SQL Injection Vulnerabilities
    2004-07-16: PHPBB Multiple Cross-Site Scripting Vulnerabilities
    2004-07-13: PHPBB Common.php IP Address Spoofing Vulnerability
    2004-04-19: PHPBB album_portal.php Remote File Include Vulnerability
    2004-04-07: PHPBB Privmsg.PHP SQL Injection Vulnerability
    2004-03-25: PHPBB Search.PHP Search_Results Parameter SQL Injection Vulnerability
    2004-03-25: PhpBB admin_words.php Multiple Vulnerabilities
    2004-03-25: phpBB profile.php avatarselect Cross-Site Scripting Vulnerability
    2004-03-25: phpBB Multiple Input Validation Vulnerabilities
    2004-03-17: PHPBB ViewTopic.PHP "postorder" Cross-Site Scripting Vulnerability
    2004-03-13: PHPBB ViewTopic.PHP "postdays" Cross-Site Scripting Vulnerability
    2004-03-13: PHPBB ViewForum.PHP "topicdays" Cross-Site Scripting Vulnerability
    2004-03-01: phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
    2004-01-28: phpBB GroupCP.PHP SQL Injection Vulnerability
    2003-12-24: phpBB search.php SQL Injection Vulnerability
    2003-11-13: phpBB Profile.PHP SQL Injection Vulnerability
    2003-09-18: PHPBB URL BBCode HTML Injection Vulnerability
    2003-06-28: phpBB Viewtopic.PHP SQL Injection Vulnerability
    2003-06-26: PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability
    2003-05-27: phpBB Page Header Remote Arbitrary Command Execution Vulnerability
    2003-02-19: PHPBB Auth.PHP File Disclosure Vulnerability
    2003-02-19: PHPBB2 Page_Header.PHP SQL Injection Vulnerability
    2003-01-17: phpBB2 privmsg.php SQL Injection Vulnerability
    2002-12-09: phpBB search.php Cross Site Scripting Vulnerability
    2002-11-26: PHPBB2 ViewTopic.PHP Cross Site Scripting Vulnerability
    2002-11-25: phpBB Script Injection Vulnerability
    2002-10-28: phpBB2 Unauthorized Administrative Access Vulnerability
    2002-10-09: PHPBB2 Avatar Images Information Disclosure Vulnerability
    2002-06-17: PHPBB2 Install.PHP Remote File Include Vulnerability
    2002-05-27: PHPBB2 Image Tag HTML Injection Vulnerability
    2002-04-04: PHPBB BBCode Denial Of Service Vulnerability
    2002-04-04: PHPBB BBCode Database Corruption Vulnerability
    2002-03-27: PHPBB2 'phpbb_root_path' Remote File Include Vulnerability
    2002-03-27: PHPBB Image Tag User-Embedded Scripting Vulnerability
    2001-10-09: PHPBB 'bb_memberlist.php' Remote SQL Query Manipulation Vulnerability
    2001-08-13: phpBB Unauthorized Administrative Features Access Vulnerability
    2001-08-03: PHPBB Remote SQL Query Manipulation Vulnerability


    Advance Guestbook:

    2004-12-06: Advanced Guestbook Cross-Site Scripting Vulnerability
    2004-05-19: Advanced Guestbook Password Parameter SQL Injection Vulnerability


    PHP-Nuke:

    Nevermind too damn long!

    Check out Bugtraq too.
    "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

  3. #3
    Administrator AndrewT's Avatar
    Join Date
    Mar 2004
    Location
    Tulsa, OK
    Posts
    3,641

    Default

    As Buddha has pointed out, there are other sites that are much better at explaining and keeping up-to-date on vulnerabilities. We cannot possibly cover ever script here, it is your responsibility to patch/upgrade your scripts as needed.

  4. #4
    Senior Member sdjl's Avatar
    Join Date
    Mar 2004
    Location
    London, UK.
    Posts
    502

    Default

    It should be common practice for any "webmaster" or developer to update their scripts when a new version comes out.

    David
    -----
    Do you fear the obsolescence of the metanarrative apparatus of legitimation?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •