WebHSP Community Forums
May 18, 2012, 06:23:15 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: SMF - Just Installed!
 
   Home   Help Search Members Login Register  
WebHSP Community Forums > General > Script Updates > Noah's Classified via Fantastico
Pages: [1]
« previous next »
  Print  
Author Topic: Noah's Classified via Fantastico  (Read 3583 times)
testube
Newbie
*
Offline Offline

Posts: 9

aol? get real
WWW
« on: September 22, 2006, 07:43:47 PM »
I had just installed this script on one of my servers via Fantastico, and was playing around with it a bit, but had to visit their forum to see how to tweak part of it. While on the forum, I noticed a few scary things about it...primarily a link to this page:
http://www.frsirt.com/english/advisories/2006/0703

Solution:
---------
There is no vendor supplied patch for this issue.
From Vendor`s website:
"Currently, we are completely overloaded with our
running projects, and we don't have enough time to deal with our free
products. The further development and support of Noah's
Classifieds is therefore suspended.
Thank you for the understanding and please forgive us
that we don't responding to the emails."

None-the-less, I looked into their scripting a bit and it is A MESS. A hack to fix this would take me more time than it would be worth. (Most of the commenting is in Hungarian??)

I just wanted to warn others of these vulnerabilities and the fact that the author isn't planning on supporting it in any way. You may want to steer clear of this one. I would even suggest that WebHSP remove it from the Fantastico options, if possible. This is a disaster just waiting to happen.

Does anyone know of a stable and secure alternative? I'm thinking that a CMS may do the trick, with a bit of tweaking, but it would be nice to find something that was a quick setup, as Noah's had appeared to be.

Thanks in advance!
- Jeff
////////////////////////////////////
http://www.spellingsearch.com
Logged
WHSP-Mark M
Super Tech
Administrator
Jr. Member
*****
Offline Offline

Posts: 57


Email
« Reply #1 on: September 22, 2006, 08:04:38 PM »
Hi Jeff,

Thank you very much for the heads up on this matter.  There are certainly a large variety of concerns with this program. I have checked on the netenberg.com forums (the company that makes fantasico) and it seems there a large number of bugs with this program and they are currently considering marking it as deprecated.

In the meantime, we see that there is a rule out for our mod_security installation to protect our servers and clients from this type of SQL Injection attack and we will be implimenting this rule over the next couple of days.

Best Regards,
Mark,
WebHSP Support
Logged
testube
Newbie
*
Offline Offline

Posts: 9

aol? get real
WWW
« Reply #2 on: September 24, 2006, 06:52:14 AM »
Thanx, Mark.

Just wanted others to know before anything happened to someone...I saw more than just SQL injections listed as possible threats...too many unchecked variables, password hacks, etc.

Thanks again for your prompt response,

Jeff
Logged
WHSP-Mark M
Super Tech
Administrator
Jr. Member
*****
Offline Offline

Posts: 57


Email
« Reply #3 on: September 25, 2006, 01:13:33 PM »
Hi Jeff,

It is never a problem. If you should have any more questions or concerns, then do let us know.

As well if we hear of any more developments with regards to this script we will certainly let you know.

regards,
Mark
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.13 | SMF © 2006-2011, Simple Machines LLC Valid XHTML 1.0! Valid CSS!