AW: AW: ANN: GLX2 3.05

Andre Garzia andre at
Thu Jun 14 23:46:38 EDT 2012


This usually happens once one of two things happens:

1 - you have a compromissed FTP account. Maybe one collaborator lost your
FTP account or an infected machine is harvesting them from your HD (more
common on windows). Something caused the FTP account to be compromissed,
after that the hacker uploads a single PHP script and calls this script
with CURL or something similar, this causes the script to execute on the
server. This script is usually a bootstrap script that will download more
nastiness and infect other files.

2 - an exploit on some software you're using on the server side. This
mostly happens when using stuff you didn't built such as Wordpress or
others popular CMS. Wordpress is a big target for hackers because it is the
most popular CMS out there.

Be aware that if you're LiveCodeServer application has an upload feature
such as "upload your photo" form that works by saving the uploaded file
somewhere and then sending it to the browser when needed, for example by
using something similar to:

<img src="photos/<?rev put photoFilePath ?>" />

Where you simply send an image with its source pointing to the uploaded
file. This is a major risk because if the hacker uploads a PHP file instead
of a nice mug shot. The PHP file will be executed when the browser request
that image.

If you're accepting files on forms, always check the file with a command

function filetype pFile
  return shell("file --mime" && pFile)
end filetype

This function will return the MIME type for a given file on Mac OS X or
Linux (any Unix I think...).

On Fri, Jun 15, 2012 at 12:29 AM, J. Landman Gay
<jacque at>wrote:

> On 6/14/12 8:58 PM, stephen barncard wrote:
>> these guys would pack a string of URLEncoded PHP code with no white space
>> into a global, then decode and call it. It was usually placed at the
>> bottom
>> of one's document.
> It's still not clear to me how they did this.
> The security snafu was a year ago and the hacker didn't get any passwords,
> only a few user names. Unless anyone's password is "12345" I kind of doubt
> this recent incident is related, and it was a long time ago anyway.
> Is there a likely explanation how they got in this time? Something we
> should watch out for?
> --
> Jacqueline Landman Gay         |     jacque at
> HyperActive Software           |
> ______________________________**_________________
> use-livecode mailing list
> use-livecode at
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:

-- -- All We Do Is Code. -- minimalist url shortening service.

More information about the Use-livecode mailing list