[mythtv-users] Hacked?
Isaac Richards
ijr at po.cwru.edu
Mon Aug 16 11:19:23 EDT 2004
On Monday 16 August 2004 09:38 am, Kevin Kuphal wrote:
> Isaac Richards wrote:
> >On Monday 16 August 2004 12:51 am, Dave Bush wrote:
> >>My guess is some kiddie familiar with PHP-Nuke found the MySQL database
> >>open to the world and inserted his own story. Happened to me on a site I
> >>used to operate for a local jr. hockey team, and it was very simple to
> >>fix. Took longer to make sure MySQL was secure (like five minutes or
> >>less with the Webmin interface) than it did to remove the offending
> >> story.
> >
> >Err, mysql obviously wasn't running open on the machine.
>
> I was hit by probably the same exploit and it isn't an open MySQL
> problem but rather the fact that the programmer of PHP-Nuke did not do
> any input checking on the ratings system. Basically, the code that
> receives a submit for a rating takes the number "5" to mean a 5 star
> story. But it never checks if 5 is the input but simply appends it to
> the end of a SQL statement. It is then a simple task to submit "5';
> INSERT BLAH BLAH BLAH INTO STORIES" and generate your own SQL to insert
> a bogus story or whatever you want. It's a simple patch and readily
> available online.
Similar, but different hole.
Isaac
More information about the mythtv-users
mailing list