Article Dashboard Script Proves That Sometimes Free Is Not Good.
|
By :
Mr Reviewer
Submitted
2008-05-28 19:43:39 |
Requires - Php & 1 Mysql Database
Price - Free
This Scripts Total Rating - The worst is 1 thumbs down, but this script gets 10 thumbs down!
Have you ever wanted to start your own Article Publishing site, but one that would allow even the dumbest script kiddie hacker to break into your admin section and deface your pages with porn and ring tone links?
Has the thought of having an article directory that allows these same hackers to upload pirated software and scripts to your hosting accounts and use it as a download dump, plus install phishing sites to steal others passwords been your lifelong dream?
Then, the Article Dashboard script is for you! Seriously folks, this script is bad news for you, but a godsend to hackers around the world. And it's so dangerous, I'm not even going to put a link to their site in this article.
Article Dashboard is one of those dinosaur article publishing scripts that the owners have just never really cared to fix or upgrade in any meaningful way. The front end pages are fairly clean and appealing, and the admin section has the basic article admin functions, like Approved/Decline articles, Edit Author Accounts, but the script is completely encoded with ioncube, except for a few template pages.
The encoding makes redesigning difficult, and fixing the many bugs in the script is impossible except by the owners of the script which have shown no interest in fixing anything or the protection of the AD script users.
Article Dashboard has several well known bugs and exploits in it. One being that anyone can upload very bad things to your site through the article page's URL. In other words, hackers can upload and run hacker scripts and phony phishing sites to your hosting account by adding the path to the bad scripts in the Article Dashboard's article pages HTTP path. This is called a Remote File Execution exploit.
Another exploit is that anyone can login to any Article Dashboard user's admin section with a mysql injection attack. Takes about 1 minute to break in and destroy your Article Dashboard site and any others you may have on that hosting account.
I hate to keep harping on the faults of Article Dashboard, but this script is so bad, and so dangerous for anyone to use, that I can't really review the script, but only warn you away from it. If you have any doubts about what I'm saying, I will include a few links for you to check out, and hopefully avoid all the bad things that will happen if you decide to use this script!
I'm showing the code hackers use to get into your admin section because it's already on most of the security sites (and all the hacker forums) and you can test it for yourself to see how vulnerable the Article Dashboard script really is.
From http://securityreason.com/securityalert/3546
##
# ArticleDashBoard all version SQL Injection Vulnerability
#
# SQL Injection Found by :
#
# ^ Xcross87 | xcross87.info | hcegroup.net #
# Thanks to: ^ RongChauA | reaonline.net | rongchaua.net
#
# Dork : Powered by Article DashBoard
#
################################
##
SQL Injection Vulnerability :
Link admin: http://www.victim.com/[path]/admin/login.php
user | pass = admin'-- | /*
Boomsssssss ! Top right corner.." Logged in as 'admin' "
Note:
+ This source all is encrypted !
+ If admin setup mode: 'New Admin' , move mouse to the New Admin link
you can see the password of the present admin account that you're
logging in.
[^$^] Enjoy
=======================================
Here are some other links to check out:
http://www.abcarticledirectory.com/blogspot/
article-dashboard-sites-vulnerable-to-iframe-injection-attack.htm
http://www.prisma-mampu.gov.my/archiveNewAdvisories.do?off=50
|
Author Resource:-
Check out all of Mr. Article's reviews at Mr. Reviewer
You can also check out his own Article Publishing script for php & mysql at
Article Friendly
|
|
Article From Mr Reviewer Article Review Site .:. You must retain the author's name and links and this site's live link to use this article. |
|
|
|
|
![[Valid RSS feed]](http://mrreviewer.com/images/icon_Rss.png "XML Feed For RSS"){kind=icon}
Category Rss Feed
Print This Article
Add To Favorites
