Messages

91

Discussion & Troubleshooting / Re: Anti Hack Guidelines for a secure site

« on: February 16, 2007, 07:16:43 PM »

If you having trouble using your Postcard Viewer after STEP ONE please replace your current postcard_view.php with this code:

Code: [Select]

<?php // PLUGIN_TITLE: Postcard Viewer 

$nozip = 1; 
define('IN_CP', 1); 

define('ROOT_PATH', "./../../");
require(ROOT_PATH.'DEIN_VERZEICHNISS/admin_global.php'); 
show_admin_header(); 

function display_results() { 
    global $site_db; 

    $sql = "SELECT * 
                    FROM ".POSTCARDS_TABLE." p, ".IMAGES_TABLE." i 
                    WHERE p.image_id = i.image_id 
                    ORDER BY postcard_date DESC"; 
    $result = $site_db->query($sql); 
    while($row = $site_db->fetch_array($result)){ 
      $postcard_id = $row["postcard_id"]; 
        $postcard_date = date("D d M, Y g:i a", $row["postcard_date"]); 
        $image_id = $row["image_id"]; 
        $postcard_bg_color = $row["postcard_bg_color"]; 
        $postcard_border_color = $row["postcard_border_color"]; 
        $postcard_font_color = $row["postcard_font_color"]; 
        $postcard_font_face = $row["postcard_font_face"]; 
        $postcard_sender_name = $row["postcard_sender_name"]; 
        $postcard_sender_email = $row["postcard_sender_email"]; 
        $postcard_recipient_name = $row["postcard_recipient_name"]; 
        $postcard_recipient_email = $row["postcard_recipient_email"]; 
        $postcard_headline = $row["postcard_headline"]; 
        $postcard_message = $row["postcard_message"]; 
        $cat_id = $row['cat_id']; 
        $image_media_file = get_media_code($row['image_media_file'], $image_id, $cat_id, $row['image_name']); 
        $template = TEMPLATE_PATH; 

        echo <<<END
        <table cellspacing="0" cellpadding="1" align="center" border="0">
  <tbody>
    <tr> 
      <td bgcolor="$postcard_border_color"><table cellspacing="0" cellpadding="10" bgcolor="$postcard_bg_color" border="0">
  <tbody>
    <tr> 
      <td valign="top"><font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_date</font><br><a href="../../details.php?image_id=$image_id" target="_blank">$image_media_file</a><br> 
        <font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_recipient_name - </font>
<a href="mailto:$postcard_recipient_email"><font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_recipient_email</font></a></td>
      <td valign="top" width="200" height="250"><div align="right"><img src="$template/images/stamp.gif" border="0"></div>
        <br> <br> <b><font face="$postcard_font_face" color="$postcard_font_color" size="4">$postcard_headline</font></b><br> 
        <br> <font face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_message</font><br> 
        <br> <font face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_sender_name</font><br> <a href="mailto:$postcard_sender_email"><font 
                  face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_sender_email</font></a></td>
    </tr>
  </tbody>
</table></td>
    </tr>
  </tbody>
</table><br> 
END;
    } 
} 

display_results(); 
show_admin_footer(); 
?>


92

Discussion & Troubleshooting / Re: Fehlermeldung beim Plugin nach Root Path-Änderung

« on: February 16, 2007, 05:19:16 PM »

Versuchs mal mit diesem kod am start:

Code: [Select]

<?php // PLUGIN_TITLE: Postcard Viewer 

$nozip = 1; 
define('IN_CP', 1); 

define('ROOT_PATH', "./../../");
require(ROOT_PATH.'DEIN_VERZEICHNISS/admin_global.php'); 
show_admin_header(); 

function display_results() { 
    global $site_db; 

    $sql = "SELECT * 
                    FROM ".POSTCARDS_TABLE." p, ".IMAGES_TABLE." i 
                    WHERE p.image_id = i.image_id 
                    ORDER BY postcard_date DESC"; 
    $result = $site_db->query($sql); 
    while($row = $site_db->fetch_array($result)){ 
      $postcard_id = $row["postcard_id"]; 
        $postcard_date = date("D d M, Y g:i a", $row["postcard_date"]); 
        $image_id = $row["image_id"]; 
        $postcard_bg_color = $row["postcard_bg_color"]; 
        $postcard_border_color = $row["postcard_border_color"]; 
        $postcard_font_color = $row["postcard_font_color"]; 
        $postcard_font_face = $row["postcard_font_face"]; 
        $postcard_sender_name = $row["postcard_sender_name"]; 
        $postcard_sender_email = $row["postcard_sender_email"]; 
        $postcard_recipient_name = $row["postcard_recipient_name"]; 
        $postcard_recipient_email = $row["postcard_recipient_email"]; 
        $postcard_headline = $row["postcard_headline"]; 
        $postcard_message = $row["postcard_message"]; 
        $cat_id = $row['cat_id']; 
        $image_media_file = get_media_code($row['image_media_file'], $image_id, $cat_id, $row['image_name']); 
        $template = TEMPLATE_PATH; 

        echo <<<END
        <table cellspacing="0" cellpadding="1" align="center" border="0">
  <tbody>
    <tr> 
      <td bgcolor="$postcard_border_color"><table cellspacing="0" cellpadding="10" bgcolor="$postcard_bg_color" border="0">
  <tbody>
    <tr> 
      <td valign="top"><font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_date</font><br><a href="../../details.php?image_id=$image_id" target="_blank">$image_media_file</a><br> 
        <font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_recipient_name - </font>
<a href="mailto:$postcard_recipient_email"><font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">$postcard_recipient_email</font></a></td>
      <td valign="top" width="200" height="250"><div align="right"><img src="$template/images/stamp.gif" border="0"></div>
        <br> <br> <b><font face="$postcard_font_face" color="$postcard_font_color" size="4">$postcard_headline</font></b><br> 
        <br> <font face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_message</font><br> 
        <br> <font face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_sender_name</font><br> <a href="mailto:$postcard_sender_email"><font 
                  face="$postcard_font_face" color="$postcard_font_color" size="2">$postcard_sender_email</font></a></td>
    </tr>
  </tbody>
</table></td>
    </tr>
  </tbody>
</table><br> 
END;
    } 
} 

display_results(); 
show_admin_footer(); 
?>



93

Discussion & Troubleshooting / Re: Images On Google

« on: February 16, 2007, 10:46:21 AM »

well i don't use any robots or other google relatet things but my images are indexed
http://images.google.bg/images?hl=bg&q=zapomnime&btnG=%D0%A2%D1%8A%D1%80%D1%81%D0%B5%D0%BD%D0%B5+%D0%BD%D0%B0+%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D1%8F&gbv=2

94

Discussion & Troubleshooting / Re: Anti Hack Guidelines for a secure site

« on: February 16, 2007, 10:31:27 AM »

Das ist sehr gut!!!
Nur eine Frage: wer sagt uns denn, das das hacken der Galerien, die hier genannt wurden in den letzten Wochen über den Ordner "ADMIN" erfolgt ist??

Niemand, und wenn deine gallerie gehackt worden ist ist es sehr unwarscheinlich dass du weisst WIE sie gehackt worden ist.

den Ordner umbennen und per .htaccess zu schützen ist ja OK, leider hat niemand, dem die Galerie gehackt wurde uns:
1. mal Zutritt zum Server gelassen
2. alle Dateien sehen lassen
3. alle Ordner sehen lassen
um diese anschließend zu vergleichen!

es wurde doch immer die Startseite so gehackt, das im Quelltext 4images lag, aber die galerie nicht aufgerufen wurde, stimmt doch, oder??

ich denke der Ordner "admin" muss geschützt sein, liegt das nicht eher an: data/database/

in dem die Dateien blockiert werden??

wie schon gesagt, wir haben NIE eine vollständige gehackte Galerie gesehen (incl. Serverzugang, Datenbank, ect.)

Nein, alles is verknuepft. Wenn ich als Hacker eine Gallerie lahmlegen will, ist der ordner "Admin" sehr wichtig. Allerdings muss ich den pfad zum admin ordner wissen, wenn ich
den nicht weiss ist es hoechst unwarscheinlich etwas zu erreichen. Warum und wie es detailiert genau funktioniert werde ich aus Sicherheitsgruenden nicht in diesem thread veroeffentlichen,
du kannst mir ja ne PM schreiben falls du genau wissen willst um was es geht.

Was den ordner data/database angeht werde ich den thread updaten, auch was die Sicherheitsluecken in der search.php und image.php angeht.

Was die gehackten seiten angeht schau dir mal das hier an:
http://lists.seifried.org/pipermail/security/2006-March/012490.html
http://retrogod.altervista.org/4images_171_incl_xpl.html

Hier geht es um das bekannte exif problem, das ja mitlerweile mehr oder weniger behoben wurde.

95

Discussion & Troubleshooting / Re: Thumnails all in the same size

« on: February 15, 2007, 09:43:22 PM »

http://www.ggrec.com/mods

45$

96

Discussion & Troubleshooting / Anti Hack Guidelines for a secure site

« on: February 15, 2007, 09:41:33 PM »

Well, at least 3 times a week i read about sites getting hacked, and i read every time the same
questions like "Did you install all bugfixes", "Do you have a secure password"

Yes we have!

But why is my site being hacked even if i did all the fixes etc?
Because you can do more!

I won't discuss server related things here, because most of you don't have root access to your server,
but some simple thing's you can do will do the job Here we go:

Step ONE to a more secure site
Gettin' rid of the yoursite.com/admin directory

1. Make a new folder in your 4images and called it something like "87cfgh77FG1F0C"
2. Move all your files from your admin folder into the new folder you created
3. Insert an empty "index.html" file in your admin folder
4. Open now yoursite.com/87cfgh77FG1F0C/admin_global.php and search for:

Code: [Select]

include(ROOT_PATH.'admin2/admin_functions.php');
and replace "admin" with the name of your new folder

5. Save it.
6. You do the same modification in all files located in your former admin directory, wich include path to "admin"

7. Search google for "htaccess" and put an extra login to your new folder
------------

Now your admin area is securet twice, first with the new name of the admin folder, and second, with the additional login (using the htaccess)
DONT change your other php files to use direct links to that new folder. You have to manually enter the admin area with an bookmark, and
for example search for the image you want to modify. No direct link from your homepage anymore - witch makes it more difficult to administrate, but more secure.
Again, i can tell you how to directly link for example "edit image"/"delete image" to that new folder, but the changes we've made would have no effect.

TIP: If you want to edit something, simply copy the adress and replace "admin" with the name of your new folder.


Step TWO to a more secure site
Because you wife's name isn't hard to guess

Don't use ever normal passwords like "qwerty", "sexy69" or "paaasword" - You really don't know how smart current hackers are. There are so many ways
to hack or even guess such a password. Use password's like:

ab2j87ffe
c4v5hh7k

and so on. I know, it's hard to remember. But after 3-4 days you will remember the password.



Step THREE to a more secure site
Trojan horses and 4images

NEVER login into your 4images site from:

- public computers (most of them have keyloggers installed)
- your friend's computer (trust no one!)

Use only your own PC if possible. And when you use it, make sure you have a good anti virus program installed (kaspersky, norton).
Trojan horses are one of the top reasons sites get hacked! Someone mails you an "greeting card", and you open it because you're curious,
and that's it - a trojan horse on your computer. It mails now all passwords, onlinebanking details, EVERYTHING to the hacker!

So please be sure you use an every day updated anti virus program! This is VERY important!

Well that's it for now - i can assure you, that following those 3 steps will make your site 90% more secure!
If you have any questons please write in this thread, don't write me PM's about that topic.

Greetings,

George

97

Discussion & Troubleshooting / Re: Thumnails all in the same size

« on: February 15, 2007, 01:37:03 PM »

wonder why it got deleted?

Because it became a payed MOD because of the complicity.

98

Mods & Plugins (Requests & Discussions) / Re: Multipel recipents

« on: February 15, 2007, 12:55:39 AM »

i just have created that mod for a client, you can PM me for information (it's a payed mod)

99

Mods & Plugins (Requests & Discussions) / Re: Your site will be updated in XX minutes

« on: February 15, 2007, 12:54:17 AM »

that sound like a good idea... sound's like a nice payed mod

100

Mods & Plugins (Requests & Discussions) / Re: Lookign for Moderation Mod

« on: February 12, 2007, 07:07:50 PM »

every category has its own permission options. You have to check "direct upload" to "admin", that way, the uploaded images are on queue and not shown on the site, untill you (or an other administrator) clicks in the admin panel on "validate images" and validate them.

This question is also answered better in the FAQ/Docs folder if you need more information

101

Discussion & Troubleshooting / Re: Neues Adminlogin setzen, wie?

« on: February 12, 2007, 08:46:29 AM »

das geht nur ueber die database, z.B. mit PhpMyAdmin

102

Discussion & Troubleshooting / Re: A few how do's

« on: February 11, 2007, 09:17:11 PM »

Welcome to the 4images Forum,

all topics you refer to are discussed and there are mod's for your requests. Please try using the search, or browse the MOD forums.

103

Mods & Plugins (Requests & Discussions) / Re: [Request] X views allowed per day (for guests)

« on: February 11, 2007, 04:12:05 PM »

cookie can be deleted, so that doesnt solve your problem.
You can limit views by IP, but the problem is after the usersigns it he still have the same IP so ... ist complicated. Maybe you consider making your categories and the images
only visible for registred users, and make a "preview category" for guests (redirect to that preview category after a guest clicks on an image)

104

Requests for paid modifications / Jobbörse / Re: A little information before you make a request

« on: February 11, 2007, 04:03:20 PM »

In our Offices we also take a charge around 65,-€ (85,-$)/h...

nice, in Bulgaria 150-€ are a standard monthly salary  If you move here and have clients you can live like a king 

105

Discussion & Troubleshooting / Re: [Request] Passwörter sichtbar für den Admin/ see user-password in ACP

« on: February 11, 2007, 03:35:08 PM »

...warum machst du so einen request? Und du glaubst wirklich jemand wuerde dir helfen?
Ich versteh auch nicht warum dir leute wie mawenzi etc antworten, dein request geht in die kategorie "kriminell",
und man sollte dir bezueglich dies einen ban geben. Mir ist auch klar warum du die passwoerter auslesen willst .... von mir
bekommst du nach diesem thread auf alle faelle keinen support mehr