On Fri, 10 Dec 2004 22:00:43 +0000, KJ <kelvinj@xxxxxxxxx> wrote: > Let me try to paint another simple senario: > > 1. You have a shared hosting account with example.com hosted on it. > 2. You want a guestbook setup on it, and you've found one that you like. > 3. You install "phpMyFantasticGuestbook" onto your account. > 4. It's a well used application and thus you don't go through the source > to check for vunerabilities. It's usually the popular scripts that get cracked most often, Google for PHPNuke, or vBulletin exploits for example. Subscribe yourself to some security lists and read for a couple weeks. They just sit around all day and discuss cracking web apps back and forth until someone finds a vulnerability. > 5. Joe Hacker has studied the script coz he's a tart that wants to piss > people off and he has found a vunerability. > 6. Joe Hacker uses the vunerability to change your account passwd. He > then logs in as you and deletes all your files. He has access to your > mysql password which was in the congif file of phpMyFantasticGuestbook Why would you allow your MySQL user to connect from anywhere besides your web server? Remote MySQL connections are a big no-no. > and he deletes all your data, he then leaves a nice index.php in your > account to say that he's been by. Hope you had backups. You did have backups, right? > This is what I'm talking about, I hope this is clear. The vunerability I > described in one of my previous posts. > > The "worry" that I'm expending comes from being hacked twice using this > method, I think the amount of worry expended is in line with the amount > of frustration that I have endured. Sorry to hear that, I'd recommend you stop using phpMyFantasticGuestbook immediately. And anything else you don't feel paranoid about to audit. I'm no web app cracker but I'm paranoid as they get when it comes to security. Find yourself some security conscious friends. Hang out. Learn. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
