[mythtv-users] Hacked?
Kevin Kuphal
kuphal at dls.net
Mon Aug 16 09:38:59 EDT 2004
Isaac Richards wrote:
>On Monday 16 August 2004 12:51 am, Dave Bush wrote:
>
>
>>My guess is some kiddie familiar with PHP-Nuke found the MySQL database
>>open to the world and inserted his own story. Happened to me on a site I
>>used to operate for a local jr. hockey team, and it was very simple to
>>fix. Took longer to make sure MySQL was secure (like five minutes or
>>less with the Webmin interface) than it did to remove the offending story.
>>
>>
>
>Err, mysql obviously wasn't running open on the machine.
>
>
I was hit by probably the same exploit and it isn't an open MySQL
problem but rather the fact that the programmer of PHP-Nuke did not do
any input checking on the ratings system. Basically, the code that
receives a submit for a rating takes the number "5" to mean a 5 star
story. But it never checks if 5 is the input but simply appends it to
the end of a SQL statement. It is then a simple task to submit "5';
INSERT BLAH BLAH BLAH INTO STORIES" and generate your own SQL to insert
a bogus story or whatever you want. It's a simple patch and readily
available online.
Kevin
More information about the mythtv-users
mailing list