[mythtv-users] Hacked?
Dave Bush
statman at twcny.rr.com
Mon Aug 16 10:01:28 EDT 2004
Kevin Kuphal wrote:
> Isaac Richards wrote:
>
>> Err, mysql obviously wasn't running open on the machine.
>
> I was hit by probably the same exploit and it isn't an open MySQL
> problem but rather the fact that the programmer of PHP-Nuke did not do
> any input checking on the ratings system. Basically, the code that
> receives a submit for a rating takes the number "5" to mean a 5 star
> story. But it never checks if 5 is the input but simply appends it to
> the end of a SQL statement. It is then a simple task to submit "5';
> INSERT BLAH BLAH BLAH INTO STORIES" and generate your own SQL to
> insert a bogus story or whatever you want. It's a simple patch and
> readily available online.
Interesting. I always assumed it was my MySQL set up not exactly having
the most robust security.
Thanks for the tip,
- Dave
--
Dave Bush - statman at twcny.rr.com <mailto:statman at twcny.rr.com>
There are two seasons in my world - Hockey and Construction
More information about the mythtv-users
mailing list