KNOW HOLES IN SCRIPT

[757jterrell]

Hello all,

In this thread we are going to talk about know holes in the script and what files need to be removed or the actions needed to remove those holes.

UpdateDB.php: This is an old file that allows people to add stuff to your database. It should be removed immediately if its on your site.  If you have a maderite script it is most likely in there.  All SDR scripts have had this file removed and we usually remove it when a site is upgraded. However, all owners should check to ensure that this file is not on their site. The file is located in the public folder.  

help.php: This is a recent hole that was discovered. It allows people to gain access to your cpanel. Remove it immediately. It located in the public folder. We are working on a new file that does the same thing without creating a hole and will post it in the fix section once its done.

EDIT:  A new help file was added to the SDR 2 script, so its not a problem on them and up. And it has been added to the SDR Basic.

config.php: This file needs to have the permissions on it set to 0644. Please check to ensure that it is not set to 0777, it will allow people to upload stuff into their accounts.

If other files are discovered that create holes or problems, we will post them.

EDIT:  Also, when you are done setting up your sites settings, please make sure that you close the hole on the includes/settings.php and lock your settings. It should be changed from a 0777 settings to a 0644 settings once your settings are set up.

[cARRIE]

Thanks a lot for this topic.
help.php removed. config.php already had 644 permission.

[gsbux]

Thanks JT, unfortunately I had all the three holes in GSBux 

Fixed them, thanks again.

[757jterrell]

BIg bug in the Swap Referrals to Cash addon,  it allows members to get the bonus without transferring the referral, Please deactivate this addon until we get a fix posted.


Edit: Fix has been posted here for all SDR 2 and SDR 1 series with it before the 9-15-10 update:

http://auroraadmintraining.info/index.php/topic,875.0.html

[Addons]

BIg bug in the Swap Referrals to Cash addon,  it allows members to get the bonus without transferring the referral, Please deactivate this addon until we get a fix posted.

Thanks for the info

[757jterrell]

Fix for the swap referrals to cash add on is provided here:

http://auroraadmintraining.info/index.php/topic,875.0.html

It is also fixed in the SDR 2 9-15-10 update.

[divemaster]

HI found these do I need to delete them?    /public_html/help.php    And   /public_html/admin2/help.php    are they A breach of security?  and how just right click delete them? And I was reading some were it said it's not A good idea to keep your backups on cpanel where would you keep them on your PC?   

[cARRIE]

Replace only public_html/help.php file with this file
http://auroraadmintraining.info/index.php/topic,583.0.html
admin2/help.php is fine.

Never keep the backup files in the public_html folder, they are damn easy to download, the best place for backup is your pc.

[757jterrell]

The help file was updated to a newer version that does not create a hole on the SDR 2 on the 9-15-10 update and on the SDR Basic on the 11-15-10 update. If your scripts are not since these updates, then you should replace the help.php file.  The admin2 one is ok.

[chicoi08]

I accidentally deleted my backupDB.php

Can anyone upload it? thanks!

[cARRIE]

I accidentally deleted my backupDB.php

Can anyone upload it? thanks!

Here it is
backupDB.zip

[chicoi08]

Here it is
backupDB.zip

Thank you cARRIE.

[cARRIE]

You're welcome