Urgent security issue: FlashChat (the one from tufat.com) Urgent security issue: FlashChat (the one from tufat.com)
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Urgent security issue: FlashChat (the one from tufat.com)

Started by thejake420, September 04, 2006, 08:35:29 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

thejake420

Mod, please move this to the most appropriate forum. Considering the potential danger level of this issue, I felt that it was appropriate to mention it in here, as there are 35,000 webmasters in here, all of whom obviously use PHP scripts on their servers.

This is not specifically Coppermine-related, and GauGau will probably give me a foot in the rump for posting it here, but it affects a lot of Coppermine users, as many of us have a "Forum, Gallery, Chatroom" layout on our sites. The exploit is currently being used mostly to simply deface a page or pages of a site, but it grants the ability to place BAD files on your server, so if somebody really wanted to, this could very easily become a "read your passwords from your PHP files and wipe out your entire site" exploit.

At any rate, here's the security warning, as I've been posting it to a couple of forums I frequent, including my host's forum... The script's vulnerability being exploited left and right (several thousand sites have been defaced in the last couple of days.)

Note to CPG users... the .htaccess thing below isn't a bad idea for you even if you don't use this script.

The developer has provided an upgrade that fixes the issue.

------------------------------

There's a serious exploit that takes advantage of FlashChat (from tufat.com, also known as "Darren's $5 script archive"). The exploiter-ers are systematically attacking every site they can find that uses this script. (Unwelcome visitors can find you on Google too, you know...)

I've investigated the exploit, and I strongly recommend that you immediately upgrade for this script to version 4.6.2, as the older versions of  this script have been exploited several thousand times, all within the last few days. Also, lock down any unused (or not currently being used, etc.) directories via .htaccess so that they are not accessible from anywhere but your domain. (This is generally a good idea anyway.)

Your .htaccess file

Order Deny,Allow
Deny from all


Look here for .htaccess assistance:
http://httpd.apache.org/docs/1.3/mod/mod_access.html#order

Updated script (version 4.6.2) is available to current FlashChat (tufat.com) customers at:
http://www.tufat.com/download.php

The service announcement about the update is available here:
http://forum.tufat.com/showthread.php?t=24619


Jake

Joachim Müller

Quote from: thejake420 on September 04, 2006, 08:35:29 AM
This is not specifically Coppermine-related, and GauGau will probably give me a foot in the rump for posting it here
Exactly: this is not related to Coppermine at all. Reporting issues with other web-driven applications that are not related to coppermine at all (not even in terms of bridging) is just irrelevant and beyond the scope of what this board is meant for. We'd be flooded with thousand of security warnings if we allowed this, as there's a myriad of web apps and subsequently a lot of security issues related to those apps.
Post warnings that impact Windows on forums that deal with Linux and see what will happen with your posting. ::)

Quote from: thejake420 on September 04, 2006, 08:35:29 AM
Mod, please move this to the most appropriate forum.
The only sub-board that comes to mind is the crap bin.

Quote from: thejake420 on September 04, 2006, 08:35:29 AM
as there are 35,000 webmasters in here, all of whom obviously use PHP scripts on their servers.
[...]
as many of us have a "Forum, Gallery, Chatroom" layout on our sites.
Many webmaster like eating Pizza. Does this mean that you will post warnings here if doctors advice that eating Pizza is bad for your health?

There are many sites that deal exclusively with warnings like yours. Webmaster who are concerned about security should read up issues there, and maybe subscribe to newsletters those sites offer. This forum doesn't deal with flaws in other applications.

Marking accordingly and locking.

Joachim