Thanks for the info. I'm not nearly as concerned about someone spamming me with the contact admin. If a member were to be spamming with the 'email a link', or anything allowing freely entered email addresses, that should be easy enough to catch in the server logs and dealt with pretty quickly I guess.
One of the image generation scripts I've worked with in python simply injects 'noise' into the image which throws off OCR attacks.
Something that might be worth considering is a simple logic puzzle, where it's not a matter of simply copying something. EG: 6 + 9 with the 'code' being the sum. Randomize the math between +,-,/ and maybe * and then the numbers.
One of the things with the daily change of the code, as it is now (still?) someone can submit a whole lot of stuff before the code changes, all they need to do is fetch it once a day manually no matter how hard it is for bots.
I guess like spam, hackers and the like -- if you get targeted by a skilled hacker they'll succeed probably. Most of us probably only need to worry about the premade scripts to expliot specific weaknesses, that can be passed around and require no talent to use.
All the attachments directories chmoded to 777 on this site were apparently hacked at the end of december... it's possible there's no real problem with formemail.php and it's the files left by the hacker that were the problem. I don't see how they could've been uploaded through the scripts, the files weren't renamed or extensions stripped as the script does. Google suggests that 777 directories can be vulerable on some shared hosts. I'm making it so that in 3.3.8 the attachments directory can be renamed to something else so an attacker doesn't know where to find it.
Edit: Thanks to a report on WSN Gallery I've figured out there is a vulnerability in the script which is allowing an attacker to gain access (not a vulerability in the upload utility, but it enabled the person to do actions such as uploading). It's safer to not publicize the exact nature of it, but will be fixed in 3.3.8 (and next versions of each script) so note that it's quite important to upgrade.
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on What's up with webmastersite.net?
Forum Regular
Usergroup: Customer
Joined: Jan 11, 2006
Total Topics: 48
Total Comments: 166
Thanks for the info. I'm not nearly as concerned about someone spamming me with the contact admin. If a member were to be spamming with the 'email a link', or anything allowing freely entered email addresses, that should be easy enough to catch in the server logs and dealt with pretty quickly I guess.
One of the image generation scripts I've worked with in python simply injects 'noise' into the image which throws off OCR attacks.
Something that might be worth considering is a simple logic puzzle, where it's not a matter of simply copying something. EG: 6 + 9 with the 'code' being the sum. Randomize the math between +,-,/ and maybe * and then the numbers.
One of the things with the daily change of the code, as it is now (still?) someone can submit a whole lot of stuff before the code changes, all they need to do is fetch it once a day manually no matter how hard it is for bots.
I guess like spam, hackers and the like -- if you get targeted by a skilled hacker they'll succeed probably. Most of us probably only need to worry about the premade scripts to expliot specific weaknesses, that can be passed around and require no talent to use.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
All the attachments directories chmoded to 777 on this site were apparently hacked at the end of december... it's possible there's no real problem with formemail.php and it's the files left by the hacker that were the problem. I don't see how they could've been uploaded through the scripts, the files weren't renamed or extensions stripped as the script does. Google suggests that 777 directories can be vulerable on some shared hosts. I'm making it so that in 3.3.8 the attachments directory can be renamed to something else so an attacker doesn't know where to find it.
Edit: Thanks to a report on WSN Gallery I've figured out there is a vulnerability in the script which is allowing an attacker to gain access (not a vulerability in the upload utility, but it enabled the person to do actions such as uploading). It's safer to not publicize the exact nature of it, but will be fixed in 3.3.8 (and next versions of each script) so note that it's quite important to upgrade.