PHPAuction

Security, malware, viri--you've got to keep your eyes open

PHPAuction

Postby Dark Shadow » 03/05/09, 8:50 am

Alright guys, I have a few PHP auctions deployed and I just have to say that it leaves alot to be desired as far as security goes. In the last 3 years we have deployed PHPAuction, it has proved itself to be one of the most insecure scripts of all time and has been taken advantage of repeatedly. We even have an XL install ($445) that has been repeatedly hacked even with the lastest updates to the point where we have had to shut down the site until we can switch software packages.

Do not be seduced by the features... it is an inferior product.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby JohnT » 03/05/09, 2:13 pm

I commend you for coming forth on the matter of being "HAD".....repeatedly. 8)
"A man may be a fool and not know it, but not if he is married."
JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia

Postby Dark Shadow » 03/05/09, 2:30 pm

It isn't like I deployed additional versions after the first security breach, but unlike most php applications such as phpBB, there has been no improvement in security from updates. 99% of all phpauction updates are to increase features, not to patch security holes which I have had to do myself.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby SOD » 03/06/09, 3:33 am

is a HAD more secure than a GET?
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Gerry » 03/06/09, 8:56 am

No, but I hear it's more secure that SOD

What sort of security holes were in the product Dark? Btw you started off writing it as "PHP auctions" which gives the impression that your post will be about PHP being insecure and not a specific auction product.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby JohnT » 03/06/09, 9:05 am

SOD wrote:is a HAD more secure than a GET?


You can be secure in the fact that when you've been "HAD" someone has "GOT". 8)
"A man may be a fool and not know it, but not if he is married."
JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia

Postby Dark Shadow » 03/07/09, 11:16 pm

Gerry wrote:No, but I hear it's more secure that SOD

What sort of security holes were in the product Dark? Btw you started off writing it as "PHP auctions" which gives the impression that your post will be about PHP being insecure and not a specific auction product.


Sorry about the confusion. The product is PHPauction ( http://www.phpauction.net ) and the security issues begin with the requirement of having several configuration files and foldters chmoded to 777 so that the software can write configuration information to those files and drop temp files into those folders. In my world, 777 is just not acceptable on any public file or folder.

From there it just gets worse. Uploaded input does not get checked for malformed information. For example, pictures are not checked to make sure they are actually photos, csv uploaded data does not get checked for things such as <? ?> tags, sql injection, escape strings, etc... In fact, mysql_real_escape_string doesn't appear anywhere in the code and regular user input isn't checked for special characters. The list goes on and on.

To be blunt... it is fantastic for features, but a horrible nightmare for security. On the XL version, the company had purchased the open source version of it, and I spent 2 weeks re-coding massive sections just to eliminate obvious flaws in the programming.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am


Return to Protect Yourself

Who is online

Users browsing this forum: No registered users and 1 guest

cron