14071
The Lounge / Re: How long
« on: June 18, 2010, 02:45:22 PM »
Well, I had an SM forum hacked a while back. Saved the code just because.
Anyway, apparently PHP will read code from any source, even an image file. The hackers hacked an image file, gave it a header then filled the rest with SQL code. They then created an account, uploaded the image as their avatar, and when anyone looked at the thread, the code executed.
I'm not sure exactly if it could run with anyone or if an administrator had to view it for the permissions but in any case, it inserted code into the Database, gave someone superadmin, and they were able to do anything they wanted.
So just saying...
On server avatar uploads = Bad.
Anyway, apparently PHP will read code from any source, even an image file. The hackers hacked an image file, gave it a header then filled the rest with SQL code. They then created an account, uploaded the image as their avatar, and when anyone looked at the thread, the code executed.
I'm not sure exactly if it could run with anyone or if an administrator had to view it for the permissions but in any case, it inserted code into the Database, gave someone superadmin, and they were able to do anything they wanted.
So just saying...
On server avatar uploads = Bad.