Results 1 to 8 of 8

Thread: phpFormGenerator 2.09.c vulnerability

  1. #1
    Registered
    Join Date
    Mar 2012
    Location
    Ill-annoy
    Posts
    3
    Rep Power
    0

    phpFormGenerator 2.09.c vulnerability

    A web site I managewas the target of an exploit against phpFormGenerator 2.09.c.
    Below are some links that document the exploit. The information has also been sent to powweb support.
    Last edited by IanS; 3-16-12 at 05:04 AM. Reason: Links removed. New members aren't allowed to post links.

  2. #2
    PowWeb Staff
    Join Date
    Sep 2011
    Location
    Phoenix, AZ
    Posts
    93
    Rep Power
    6
    Appreciate the heads-up. I've let management know and imagine they'll contact Simple Scripts to let them know.

  3. #3
    Registered
    Join Date
    Mar 2012
    Location
    Ill-annoy
    Posts
    3
    Rep Power
    0
    I'd like to get things straight, clear as it were. I had 2 sites suspended within the last month,(nithunder.com, aipandc.com) both after complaints from a 3rd party about phishing pages hosted on those sites. The only scripts being used on either site were Php Formgenerator. Both the phishing attempts took advantage of exploits that I found well documented from as far back as at least 2010. Perhaps I should have researched the script more closely before I installed it, live and learn I guess. Never mind that the script is offered in pow webs' install central package, the ultimate responsibility is mine when using software even if the assumption is that pow web has vetted the software it offers for use. Okay, I can live with that, what I have a hard time understanding is why is pow web still offering a script that is vulnerable to remote exploits?? I hope the security dept. did not need me to inform them of the documented weaknesses inherent in the Php Formgenerator script. Having said that, I have to wonder if other users of the script have had similar experiences with it. If so, why is it still being offered? If not, I have to assume that they will sooner or later. This was not a personal attack, just the luck of the draw, as far as I'm concerned. Why host a script that has proven vulnerabilities? Is it that the documented exploits do not threaten pow web security? and only constitute an issue with individual users? Does the security dept. feel that any problems are easily dealt with by suspending a site and placing the responsibility of any corrections on the users of said script? I hope you can understand the source of my confusion and can offer some glimmer of reason as to why the situation is as it is

  4. #4
    PowWeb Staff
    Join Date
    Sep 2011
    Location
    Phoenix, AZ
    Posts
    93
    Rep Power
    6
    Quote Originally Posted by ArVee View Post
    Does the security dept. feel that any problems are easily dealt with by suspending a site and placing the responsibility of any corrections on the users of said script? I hope you can understand the source of my confusion and can offer some glimmer of reason as to why the situation is as it is
    The User Agreement:
    http://www.powweb.com/legal/legal_useragreement.bml
    is actually very clear on who is responsible for apps like this: "Any security risks including, but not limited to, hacking, phishing and information piracy are the sole responsibility of the User."

    That's pretty standard. We didn't write the Form Generator and don't maintain It, simply provide a means by which you can, if you wish, install it. Doing so, and any issues which result, are really your responsibility. We obviously don't want customer to upload vulnerable applications [believe me, I spend far too much of my day dealing with the fallout and trying to help with the resulting problems], but it's also important to note that PowWeb is not SimpleScripts, and so all I am able to do is pass information like this to the appropriate parties.

    The bottom line is, due diligence. Before you install any third-party app, look into it. See if that's the latest version. Check for reports of vulnerabilities. For an ounce of prevention is definitely better than a ton of cure.

  5. #5
    Registered
    Join Date
    Mar 2012
    Location
    Ill-annoy
    Posts
    3
    Rep Power
    0
    I've already stated that I accept responsibility for the software I use, not a problem. I am just surprised that pow web would continue to offer a script that hasn't had its' vulnerabilities corrected, presumably by Simple Scripts. Wouldn't it be best practice to re-state the legal niceties, and provide users with a clear, specific, caution about what may happen if they use the script? I would think that such a policy would lessen the securitys' dept. workload, allowing them to concentrate their efforts on issues they consider mission critical....doesn't that make sense?? I know pow webs' staff are not omniscient and all powerful, and am only asking that , once verified, complaints about scripts offered are widely dispersed and appropriate cautions are presented, when justified. I am requesting that the security dept., become more interactive, in a public way, by offering their best assessment of any piece of software, they have verified ,may pose a danger to users. Such a policy leaves most of the 'legwork' to users, and only requires a response such as i have roughly sketched out, when those pieces of information gathered from users indicate further action is required. I am grateful for all the people working behind the scenes to insure the integrity and reliability of our data and sites. Things would be chaotic without their efforts, they deserve our appreciation and respect. I am just asking them to re-assess how they interact with users, I believe all would benefit from such a proposed change in our relationship.
    Rick V.

  6. #6
    Custom User Title entrecon's Avatar
    Join Date
    Aug 2006
    Location
    Michigan
    Posts
    2,742
    Rep Power
    16
    For the long time members of this forum it has been pretty standard to NOT use any of the provided scripts for multiple reasons. PowWeb is usually behind the curve in getting them updated. Besides, most of the long time members of this forum are a little bit more advanced in their knowledge and prefer the control of installing a script themselves.

    That being said, like ArVee, I am surprised that the script with such a vulnarability is still on install central. With all of the newbies who buy hosting here, it is like handing them a real gun and sending them out into a Paintball game. There is a certain assumption of safety when something is provided to you.
    ________________________________
    Find me on twitter: @entrecon

  7. #7
    PowWeb Staff
    Join Date
    Sep 2011
    Location
    Phoenix, AZ
    Posts
    93
    Rep Power
    6
    Quote Originally Posted by ArVee View Post
    I am requesting that the security dept., become more interactive, in a public way, by offering their best assessment of any piece of software, they have verified ,may pose a danger to users. Such a policy leaves most of the 'legwork' to users, and only requires a response such as i have roughly sketched out, when those pieces of information gathered from users indicate further action is required. I am grateful for all the people working behind the scenes to insure the integrity and reliability of our data and sites. Things would be chaotic without their efforts, they deserve our appreciation and respect. I am just asking them to re-assess how they interact with users, I believe all would benefit from such a proposed change in our relationship.
    Rick V.
    As mentioned before, PowWeb is not SimpleScripts. You may have missed that, when you click on the SimpleScripts icon in the control panel, you are no longer even on powweb.com, but are taken over to SimpleScripts.com. Obviously, we therefore do not have control over what statements are or are not present there.

    What you say certainly makes sense. However, here is really not the best place to submit suggestions, because I'm technical support, not a business relationship manager. Going through the feedback form:
    http://www.powweb.com/support/suggestions.bml
    will get your suggestion in front of more appropriate eyes than posting in a forum.

  8. #8

    Join Date
    Apr 2007
    Location
    Stockbridge, Ga
    Posts
    469
    Rep Power
    11
    Jim M, can you please take a look at the PM I sent you this evening.
    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •