|
|
|
|
||||
|
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
 |
|
|||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
|
Thread Tools |
09-05-2016, 12:09 PM
|
#1 |
|
Raise Your Weapon
Industry Role:
Join Date: Jun 2003
Location: Outback Australia
Posts: 15,605
|
IMPORTANT! Multiple TubeX Security Vulnerabilities
As some of you will know I updated TGPX to be compatible with later versions of PHP
https://github.com/rjkmelb/TGPX-Updated People are using this version with good results. Several people asked that TubeX be updated, however the script is ancient and would require a lot of work to update, but more importantly there is a fundamental flaw in TubeX that opens up serious vulnerabilities if you are running it on PHP 5.5 or below. An additional more serious security vulnerability presents itself when using PHP 5.3. For obvious reasons I'm not going to post the precise details of the way to exploit these but my advice to anyone using TubeX is to abandon TubeX as soon as possible. The risks: PHP 5.3 - Remote code execution which allows the attacker to run arbitrary code with the privileges of the user account on which TubeX is installed. - SQL injection which allows the attacker to modify your database - File system modification which allows the attacker to write files to the root directory of the TubeX installation including replacing files like .htaccess - XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site PHP 5.5 - SQL injection which allows the attacker to modify your database - XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site (can be minimised see below) THERE IS NOTHING THAT CAN BE DONE TO RECTIFY THESE ISSUES WITHOUT A MAJOR CODE UPDATE! If you are running Apache with PHP 5.5 the following code should be added to the top of your .htaccess file Code:
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff </IfModule> I know that there are several forums on which people are maintaining JMB Software scripts however TubeX is beyond hope IMHO. It's dangerous to have on your system if you are running PHP 5.3 and risky to have on your system if you are running PHP 5.5 Note: I have NOT tested these issues on PHP 5.6 and don't intend to. |
|
|
|
09-05-2016, 12:58 PM
|
#2 |
Industry Role:
Join Date: Aug 2006
Location: Little Vienna
Posts: 32,235
|
I suppose it was good call to make my own tube script instead using tubex.
|
|
|
|
|
09-05-2016, 01:01 PM
|
#3 | |
|
Confirmed Asshole
Industry Role:
Join Date: Feb 2003
Location: Half way between sobriety and fubar.
Posts: 12,722
|
Quote:
__________________
“If we are to have another contest in the near future of our national existence, I predict that the dividing line will not be Mason and Dixon's but between patriotism and intelligence on the one side, and superstition, ambition and ignorance on the other.” -- Ulysses S. Grant |
|
|
|
|
|
09-06-2016, 05:54 PM
|
#4 |
|
Raise Your Weapon
Industry Role:
Join Date: Jun 2003
Location: Outback Australia
Posts: 15,605
|
bumping this as I realise I posted this on a US holiday
|
|
|
|
