 | |  | | 
October 10th, 2006, 04:01 PM
|
#1 (permalink)
| | Member Verified Customer
Join Date: Jan 2005
Posts: 72
| showimage.php got hacked...
Webhost shut my site down today.
Someone was running mail through showimage.php
This from my web host; Quote:
One of your php scripts got exploited at
www.shottalk.com/gallery/showimage.php and was running a lot of mail activity
exploited, but valid email, not spam
root@washington [/var/spool/exim/input]# cat b/1GXJHb-0007W5-C8-H
1GXJHb-0007W5-C8-H
nobody 99 32004
1160493159 0
-ident nobody
-received_protocol local
-body_linecount 25
-auth_id nobody
-auth_sender nobody@washington.hostforweb.net
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
dbmaster@example.com
154P Received: from nobody by washington.hostforweb.net with local (Exim 4.52)
id 1GXJHb-0007W5-C8
for dbmaster@example.com; Tue, 10 Oct 2006 10:12:39 -0500
025T To: dbmaster@example.com
035 Subject: vBulletin Database Error!
071 X-PHP-Script: www.shottalk.com/gallery/showimage.php for 213.235.5.109
027F From: dbmaster@example.com
058I Message-Id:
038 Date: Tue, 10 Oct 2006 10:12:39 -0500
root@washington [/var/spool/exim/input]# cat b/1GXJHb-0007W5-C8-D
1GXJHb-0007W5-C8-D
Database error in vBulletin 3.6.0:
Invalid SQL:
SELECT posts.postid, posts.pagetext, posts.title, posts.userid, posts.username AS postusername, posts.dateline, posts.ipaddress AS ip, posts.iconid, posts.allowsmilie, posts.showsignature, user.*, userfield.* ,icon.title as icontitle, icon.iconpath ,avatar.avatarpath, NOT ISNULL(customavatar.filedata) AS hascustom, customavatar.dateline AS avatardateline, avatarrevision , level , usertextfield.signature
FROM adv_gallery_posts AS posts
LEFT JOIN user AS user ON (posts.userid = user.userid)
LEFT JOIN userfield AS userfield ON (posts.userid = userfield.userid)
LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid)
LEFT JOIN customavatar AS customavatar ON (customavatar.userid = user.userid)
LEFT JOIN icon AS icon ON (posts.iconid = icon.iconid)
LEFT JOIN reputationlevel AS reputationlevel ON (user.reputationlevelid = reputationlevel.reputationlevelid)
LEFT JOIN usertextfield AS usertextfield ON (usertextfield.userid = posts.userid)
WHERE imageid = '178' AND posts.visible = 1
ORDER BY posts.dateline
LIMIT 0, 10;
MySQL Error : Unknown column 'level' in 'field list'
Error Number : 1054
Date : Tuesday, October 10th 2006 @ 10:12:39 AM
Script : http://www.shottalk.com/gallery/showimage.php?i=178&c=2
Referrer : http://www.shottalk.com/gallery/browseimages.php?c=2
IP Address : 213.235.5.109
Username : demetri
Classname : vb_database
root@washington [/var/spool/exim/input]#
Joshua Brown
Technical Support
HostForWeb, Inc.
http://www.hostforweb.com | And....
Is this a known issue and is there a fix?
Cheers!
| 
|  | |
October 10th, 2006, 04:25 PM
|
#2 (permalink)
| | Member Verified Customer
Join Date: Oct 2006
Posts: 50
|
you know, this 2.0 gold version has the number of bugs you'd expect to see in an alpha. plus no support so far.
| |
| | |
October 10th, 2006, 08:40 PM
|
#3 (permalink)
| | Member Verified Customer
Join Date: Jan 2005
Posts: 72
|
That's not at all reassuring.
Getting my site shut down because of an insecure script means they either find a fix or I start looking for alternatives.
| |
| | |
October 12th, 2006, 04:47 PM
|
#4 (permalink)
| | Member Verified Customer
Join Date: Oct 2005
Posts: 101
|
I guess its kinda hard for them to fix things when it seems zach is the only one working on this. I wish they would give him some help this way new features and patches can be applied. Since photopost took this over seems as its been going downhill kinda like there pushing people to get photopost pro. That seems to get updated more and have much better support. If zach wasnt upgrading it I think we still wouldnt have a gallery for 3.6.x
| |
| | |
October 12th, 2006, 04:51 PM
|
#5 (permalink)
| | Member Verified Customer
Join Date: Nov 2005 Location: Southern Germany
Posts: 194
|
An official statement to this security hole (if it is really one) would be nice. Thanks
| |
| | |
October 12th, 2006, 04:54 PM
|
#6 (permalink)
| | PhotoPost Developer Verified Customer
Join Date: Jan 2002
Posts: 11,858
|
I've sent Zachery a note on the subject; thank you for the details.
__________________
Please do not PM me for support or sales questions. Thank you for your understanding. | |
| | |
October 12th, 2006, 05:18 PM
|
#7 (permalink)
| | Member Verified Customer
Join Date: Oct 2005
Posts: 101
| Quote:
Originally Posted by Michael P  I've sent Zachery a note on the subject; thank you for the details. | Is Zachery the only one working on this? Maybe Zachery needs a little help. Whats going to happen if Zachery gets burned out coding and quits does vbgallery die?
| |
| | |
October 12th, 2006, 05:32 PM
|
#8 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 66,802
|
Our company has specific people who develop specific products and it is set like this so someone does not burn out.
Michael - Photopost Pro
Chuck - Reviewpost and Classifieds
Zach - Photopost vbGallery
On support end I take care of the majority of any support for Photopost Pro Reviewpost and Classifieds. Zach and Kevin are suppose to take care of vbGallery support. Now let's give Zach a chance to respond to this thread he has been notified. More than likely this thread probally got by him the last couple days. That does happen on any support forum.
| 
| | |
October 12th, 2006, 06:02 PM
|
#9 (permalink)
| | Registered User Verified Customer
Join Date: Nov 2005 Location: Canoga Park, CA
Posts: 3,243
|
- I am looking in to the issue.
Chuck, I was burnt out @ birth  | |
| | |
October 12th, 2006, 06:23 PM
|
#10 (permalink)
| | Member Verified Customer
Join Date: Oct 2006
Posts: 50
|
did someone say 'support'?
| |
| | |
October 12th, 2006, 07:33 PM
|
#11 (permalink)
| | Registered User Verified Customer
Join Date: Nov 2005 Location: Canoga Park, CA
Posts: 3,243
| The mass email you are getting is when there is an error in mySQL.
- Every page load by a user is shooting an e-mail off to the Admin.
vBulletin
AdminCP => vBOptions => Error Handling & Logging
- Disable Database Error Email Sending Quote:
If you would like to prevent vBulletin from sending email to the $config['Database']['technicalemail'] address you specified in config.php, set this value to 'Yes'.
1. Error reports about database connection errors will still be sent.
2. It is not recommended that you set this value to 'Yes' unless you are logging database errors to a file. (see above)
| To fix your gallery from causing the error:
Database Error on showimage (fixed) - August 3rd, 2006, 09:03 AM Database Error on showimage (fixed) | |
| | |
October 12th, 2006, 07:40 PM
|
#12 (permalink)
| | Registered User Verified Customer
Join Date: Nov 2005 Location: Canoga Park, CA
Posts: 3,243
| Quote:
Originally Posted by DementedMindz I wish they would give him some help this way new features and patches can be applied. Since photopost took this over seems as its been going downhill kinda like there pushing people to get photopost pro. |  http://www.photopost.com/forum/showp...6&postcount=37 | |
| | |
October 12th, 2006, 07:53 PM
|
#13 (permalink)
| | Member Verified Customer
Join Date: Oct 2005
Posts: 101
|
ok then get to work zach lol. nah man keep up the good work cant wait to see what you turn this into. also any plans on that media?
| |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes | Rate This Thread |  Linear Mode | | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | | All times are GMT -5. The time now is 12:54 PM. | |
