Security Flaw in CG Scripts, Several scripts affected Options

[Sasha]

A security flaw has been discovered in several of CodeGrrl's scripts:

FA-PHPHosting, PHPClique, PHPCalendar, PHPCurrently, PHPFanBase, PHPQuotes

New versions of some of the scripts with the flaw fixed have been released here. You do not need to reinstall the whole script, as the only file affected is protection.php. For convenience, we have a fixed version of protection.php available here. The easiest way to secure your scripts:

- Download the fixed protection.php file
- Unzip it
- Replace ALL copies of protection.php on your site with this file (doesn't matter what script it's for)

Alternatively, you can easily patch protection.php yourself:

- Download protection.php and open it up in a program like NotePad
- On the second line, right below <?, add this:

CODE

include("config.php");

Your first four lines will now look like this:

CODE

<?
include("config.php");

$user_passwords = array (

- Save it, and upload it to your site, overwriting the old protection.php

If you have created a script yourself that is based on any of the scripts above, please note that you will have to patch protection.php for those as well.

It is important that you upgrade AS SOON AS POSSIBLE. By not upgrading you are letting your site be vulnerable to hacking. This is now a known flaw to hackers, so they will be actively looking for sites to exploit - please upgrade as soon as possible!

If you know of people who use CodeGrrl scripts but might not have seen this notice, please point them here so they can fix their scripts too - it'd be great if you could help us get the word out.
Our apologies for any inconvenience this may have caused to you.

EDITED: If you are a TwistyBot customer, you do not have to worry about upgrading if you are using any of the standard installs above (without renaming any files, etc) because I am currently fixing all instances of these scripts on our servers. If you have renamed protection.php, please double-check it though, as there is a chance I might have missed it.

[Lexa]

Oooh excellent I've just tried to download protection.php but I can't open the file. I get this error message from my Stuffit Expander: "Unknown zip header format encountered. This Operation cannot continue." So I tried to download the new whole script but I get the same error and when I check the file that's on my computor it contains part of admin.php and nothing else.

I've never seen that error before so I thought you ought to know in case I'm not the only person it affects as this is a really important fix

[Sasha]

Oops sorry about those errors! I am on a Mac, and just zipped them with the "Create Archive" command - are you on a Mac too? If so, can you right-click and choose Open With > BOM Archive Helper? Does it work that way?

[Vixx]

All scripts have now been removed whilst we work on this.

Apologies for any inconvenience. Please bear with us as we work on making CG a safer place!!

[Lexa]

Oops sorry about those errors! I am on a Mac, and just zipped them with the "Create Archive" command - are you on a Mac too? If so, can you right-click and choose Open With > BOM Archive Helper? Does it work that way?

Yep, I'm on a Mac too but my mouse only has one button, so right clicking's out. I've never heard of BOM Archive Helper, hmmmm, I've had a good root around but the only thing I can find is Stuffit, sorry Will the temporary fix be enough for now, until I can find a way to open the new file(s)?

[Amelie]

CTRL + Click has always worked for me on a one button mouse (does the same thing as right-clicking), but only on OS X - I haven't used any other version of Mac OS for so long that I don't remember...

[Sasha]

Yep, I'm on a Mac too but my mouse only has one button, so right clicking's out. I've never heard of BOM Archive Helper, hmmmm, I've had a good root around but the only thing I can find is Stuffit, sorry Will the temporary fix be enough for now, until I can find a way to open the new file(s)?

Sorry yes, I meant Ctrl-click! BOM Archive Helper is the name of the built-in unzipping utility in Mac OSX. Sometimes files won't unzip with Stuffit, but they'll work fine with the BOM Archive Helper, that's why I asked. Stuffit can be buggy, it's not the most stable program I have ever seen.

Try Ctrl-Clicking then, and choosing Open With - see if BOM Archive Helper is in the list. Let me know if that works?

[Lexa]

Ack! So it's no go then, I'm using OS8.6.

[Sasha]

Ack! So it's no go then, I'm using OS8.6.

Oh! That would explain it then! Um - would it help if you gave me your email address and I emailed you the unzipped protection.php file?

[Lexa]

Oh, thank you so much <3 I'll PM you

[Crys]

Are these scripts available yet for upgrade? I had seen a message where they were temporarily removed or it was suggested to wait until the security holes were fixed.

[Amelie]

They were available for upgrade, but they have been removed until we can look into the issue further. The fix that Sasha posted will stop the hacking vulnerabilities, but if you want to be even more secure, you can apply some of the solutions in this post which will protect the files even further.

Failing that, turn register_globals off on your server and download Julie's fixed version of PHPFanBase to completely remove the problem. We are working on updating the other scripts to work with register_globals disabled, as this is what the hackers are using to exploit the script.

[Lowlands Girl]

I'm confused. I just went in to patch my own file, and it appears that it had already been fixed. Now either my host fixed it without telling me (unlikely, though she's a very nice person), or my version had it fixed already, or I'm just not seeing something. You simply have to replace the first four lines, right?

[Amelie]

Some hosts are replacing the files for you. I know Sasha is doing that with her clients, and some others are doing that too - especially those with reseller accounts (since some hosts can hold the reseller reponsible for the hackings) - check with your host to see if that's what happened.

[Jaroo]

They were available for upgrade, but they have been removed until we can look into the issue further. The fix that Sasha posted will stop the hacking vulnerabilities, but if you want to be even more secure, you can apply some of the solutions in this post which will protect the files even further.

Failing that, turn register_globals off on your server and download Julie's fixed version of PHPFanBase to completely remove the problem. We are working on updating the other scripts to work with register_globals disabled, as this is what the hackers are using to exploit the script.

How do you turn register globals off?

[Amelie]

Solution #3 in the "Won't log me in" FAQ in reverse

Stick this in .htaccess:

CODE

php_flag register_globals off

[Jaroo]

Well is that per directory? I mean do I have to do that for each fanlisting etc or can I still it in the main directory and it will apply to all directories?

[Amelie]

Put it in your public_html directory and it will apply to everything.

[Jaroo]

Put it in your public_html directory and it will apply to everything.

Yay I love you <3

[Jaroo]

Put it in your public_html directory and it will apply to everything.

Yay I love you <3

Ick.. I use Fan Admin so now THAT doesn't work Am I gonna have to go back to updating the way I did before Fan Admin?