GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Tech IMPORTANT! Multiple TubeX Security Vulnerabilities (https://gfy.com/showthread.php?t=1215247)

AdultKing 09-05-2016 12:09 PM
IMPORTANT! Multiple TubeX Security Vulnerabilities
 
As some of you will know I updated TGPX to be compatible with later versions of PHP

https://github.com/rjkmelb/TGPX-Updated

People are using this version with good results.

Several people asked that TubeX be updated, however the script is ancient and would require a lot of work to update, but more importantly there is a fundamental flaw in TubeX that opens up serious vulnerabilities if you are running it on PHP 5.5 or below. An additional more serious security vulnerability presents itself when using PHP 5.3.

For obvious reasons I'm not going to post the precise details of the way to exploit these but my advice to anyone using TubeX is to abandon TubeX as soon as possible.

The risks:

PHP 5.3

- Remote code execution which allows the attacker to run arbitrary code with the privileges of the user account on which TubeX is installed.

- SQL injection which allows the attacker to modify your database

- File system modification which allows the attacker to write files to the root directory of the TubeX installation including replacing files like .htaccess

- XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site

PHP 5.5

- SQL injection which allows the attacker to modify your database

- XSS cross site scripting vulnerability which allows the attacker to inject client-side code into pages viewed by users of your site (can be minimised see below)

THERE IS NOTHING THAT CAN BE DONE TO RECTIFY THESE ISSUES WITHOUT A MAJOR CODE UPDATE!

If you are running Apache with PHP 5.5 the following code should be added to the top of your .htaccess file

Code:
<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options nosniff
</IfModule>
However if you are running PHP 5.3 you should remove TubeX from your system.

I know that there are several forums on which people are maintaining JMB Software scripts however TubeX is beyond hope IMHO. It's dangerous to have on your system if you are running PHP 5.3 and risky to have on your system if you are running PHP 5.5

Note: I have NOT tested these issues on PHP 5.6 and don't intend to.

Klen 09-05-2016 12:58 PM
I suppose it was good call to make my own tube script instead using tubex.

beerptrol 09-05-2016 01:01 PM
Quote:
Originally Posted by KlenTelaris (Post 21144652)
I suppose it was good call to make my own tube script instead using tubex.
That or use one that's being updated constantly by the owner

AdultKing 09-06-2016 05:54 PM
bumping this as I realise I posted this on a US holiday


All times are GMT -7. The time now is 04:59 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123