PHPAuction

Security, malware, viri--you've got to keep your eyes open
Post Reply
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
Posts: 860
Joined: 12/09/01, 12:00 am
Contact:

PHPAuction

Post by Dark Shadow » 03/05/09, 8:50 am

Alright guys, I have a few PHP auctions deployed and I just have to say that it leaves alot to be desired as far as security goes. In the last 3 years we have deployed PHPAuction, it has proved itself to be one of the most insecure scripts of all time and has been taken advantage of repeatedly. We even have an XL install ($445) that has been repeatedly hacked even with the lastest updates to the point where we have had to shut down the site until we can switch software packages.

Do not be seduced by the features... it is an inferior product.

JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia
Contact:

Post by JohnT » 03/05/09, 2:13 pm

I commend you for coming forth on the matter of being "HAD".....repeatedly. 8)
"A man may be a fool and not know it, but not if he is married."

Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
Posts: 860
Joined: 12/09/01, 12:00 am
Contact:

Post by Dark Shadow » 03/05/09, 2:30 pm

It isn't like I deployed additional versions after the first security breach, but unlike most php applications such as phpBB, there has been no improvement in security from updates. 99% of all phpauction updates are to increase features, not to patch security holes which I have had to do myself.

SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Post by SOD » 03/06/09, 3:33 am

is a HAD more secure than a GET?
It is better to be here than there - SOD

Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia
Contact:

Post by Gerry » 03/06/09, 8:56 am

No, but I hear it's more secure that SOD

What sort of security holes were in the product Dark? Btw you started off writing it as "PHP auctions" which gives the impression that your post will be about PHP being insecure and not a specific auction product.

JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia
Contact:

Post by JohnT » 03/06/09, 9:05 am

SOD wrote:is a HAD more secure than a GET?
You can be secure in the fact that when you've been "HAD" someone has "GOT". 8)
"A man may be a fool and not know it, but not if he is married."

Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
Posts: 860
Joined: 12/09/01, 12:00 am
Contact:

Post by Dark Shadow » 03/07/09, 11:16 pm

Gerry wrote:No, but I hear it's more secure that SOD

What sort of security holes were in the product Dark? Btw you started off writing it as "PHP auctions" which gives the impression that your post will be about PHP being insecure and not a specific auction product.
Sorry about the confusion. The product is PHPauction ( http://www.phpauction.net ) and the security issues begin with the requirement of having several configuration files and foldters chmoded to 777 so that the software can write configuration information to those files and drop temp files into those folders. In my world, 777 is just not acceptable on any public file or folder.

From there it just gets worse. Uploaded input does not get checked for malformed information. For example, pictures are not checked to make sure they are actually photos, csv uploaded data does not get checked for things such as <? ?> tags, sql injection, escape strings, etc... In fact, mysql_real_escape_string doesn't appear anywhere in the code and regular user input isn't checked for special characters. The list goes on and on.

To be blunt... it is fantastic for features, but a horrible nightmare for security. On the XL version, the company had purchased the open source version of it, and I spent 2 weeks re-coding massive sections just to eliminate obvious flaws in the programming.

Post Reply