DeutschEnglish

Submenu

 - - - By CrazyStat - - -

18. March 2013

phpLiteAdmin 1.9.4 released

Filed under: DBMS,PHP,phpLiteAdmin — Tags: , , , , , , , , , , — Christopher Kramer @ 18:53

I just released phpLiteAdmin 1.9.4. phpLiteAdmin 1.9.4

phpLiteAdmin is for SQLite what phpMyAdmin is for MySQL: A web GUI to manage your databases.

A lot of work has again gone into this release. It fixes bugs and introduces new features. No security issues fixed (compared to 1.9.3.3).

Every user of phpLiteAdmin is recommended to update.

New features of phpLiteAdmin 1.9.4 include:

  • Multi-Language support
  • external configuration possible
  • empty password -> no login required
  • easy backup of db files
  • edit and delete possible from search results
  • search function: added “LIKE %…%”
  • css and Js now served as separate, cacheable and compressed resources to speed up page loading

Important bug fixes include fixes in the ALTER TABLE support. We have again spent quite a lot of work to improve phpLiteAdmin. Thanks to everybody who reported issues and especially to the team for your work on phpLiteAdmin – especially Dreadnaut and Teryaki helped me a lot in this release. Thanks guys.

Download the new version here.

Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.

26. January 2013

Funny pseudo-exploit for phpLiteAdmin

It seems people really got interested in the security of phpLiteAdmin. That’s cool, lots of people searching for security issues will give us the opportunity to fix a lot of things in a short period of time. Go on searching. We’ll go on fixing.

But some of these exploiters only publish an “exploit” that contains no real issue at all. Probably only to get some publicity, or maybe because they don’t even realize that what they “found” is not an issue at all. Or meant as a joke?

I recently found a new “security exploit” listing several “vulnerabilities”, which in fact are no bugs of phpLiteAdmin at all but misconfiguration or even features. So here I want to have a look at an “exploit” released by “KedAns-Dz”:

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Okay yeah. We know exploiters love ASCII art. Kind of cool, agreed.
###
# Title : phpLiteAdmin v1.8.x->1.9.x (SQLi/FD) <= Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com .net .org
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
# Type : proof of concept - webapp 0day - remote - php
# Tested on : Windows7
###
# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !
As I said. I like exploits as well. Even if they just make me laugh 😉
######## [ Proof / Exploit ] ################|=>
# Google Dork :
# allintext:"Powered by phpLiteAdmin | "
##################
# [!] Description:
------------------
phpLiteAdmin is suffer from multiple vulnerabilities / bugs in
v1.8.x to-> 1.9.x , the attacker can use some bug in the Script
to inject some remote SQL command/code , and Disclosure the Full Path.
Interesting to say 1.9.x when there are still 1.9.x versions to be released in the future. So you are sure we won’t fix your “bugs”? Probably you are right 😉
# Bugs :
#-------
# Authentication Bypass
# SQL Injection/Exec
# Full Path Disclosure
#######################
#### (1) Authentication Bypass :
--------------------------------
[!] php-code :
line 38->39 :::::::::::::::::
//password to gain access
$password = "admin";
:::::::::::::::::::::::::::::
- not affected on all targets, just change the password to fix it
LOL
[+] http://[target]/[path]/phpliteadmin.php
[*] password : admin
I didn’t know we call it an “Authentication Bypass” if we use the authentication system by entering the correct password. Yeah, phpLiteAdmin has a default password, which is “admin”. No secret here. I mean, anybody keeping the default password on a publicly accessible installation should know that other people could get access. Current version of phpLiteAdmin even shows you a warning if you still use the default pw.
No “bug” or “vulnerability” at all.
#### (2) Full Path Disclosure :
-------------------------------
[+] http://[target]/[path]/phpliteadmin.php?view=import
[!] & Import File with (NULL/Bad) Content =>
- you get some sql error msg with the full path of phpliteadmin.php
ex: '-------------
Warning: PDO::exec(): SQLSTATE[HY000]: General error:
trying to execute an empty query in C:\Program Files\EasyPHP-12.1\www\phpliteadmin.php on line 987
____________________________________
Warning: SQLiteDatabase::queryExec() [sqlitedatabase.queryexec]: Cannot execute empty query.
in /homepages/20/d421371141/htdocs/pauleschoen.com/cgi-bin/phpliteadmin.php on line 646
------------------'
proof image (http://i46.tinypic.com/ddmek5.png) # in local test
proof image (http://i49.tinypic.com/juepet.png) # in remote test
LOL. That’s one of the most difficult ways to make phpLiteAdmin produce a PHP error message 😉
Probably you should configure your webserver correctly. Everybody who enables php-ini directive “display_errors” on a public server effectively provokes a “full path disclosure” somewhere. Maybe you should better publish an exploit for php itself 😉
Okay, seriously: We could use ini_set to make sure phpLiteAdmin won’t show any php errors. We probably will. But nevertheless, on about any php-server, you’ll find another script where you can provoke a php-error.
I am not saying it is good that these errors can happen at all. Of course it’d be better to improve checking of input and catch errors properly. This would be a real issue. But not a “vulnerability”. If these errors get displayed, your webserver is configured in a vulnerable way, which is not the fault of phpLiteAdmin.
#### (3) SQL Injection :
------------------------
php-code ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$query = "SELECT * FROM ".$db->quote_id($_GET['table'])." WHERE ROWID = ".$pks[$j];
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
[+] http://[target]/[path]/phpliteadmin.php?action=row_view&table='
[&] http://[target]/[path]/phpliteadmin.php?action=row_view&table=' [ SQLi ]
If you publish an SQL injection exploit, why don’t you insert some real SQL as a proof of concept? Maybe because what you “found” here in fact is no SQL injection at all?
The function quote_id() will make sure you cannot inject some other SQL command. Of course you can “inject” some invalid table-name, which will make phpLiteAdmin show up some errors, as your “proof image” shows. So another complicated way of producing an error message. Congratulations! But you cannot inject a “DROP Table” here or something like that.
Moreover, it is ridiculous to even search for an SQL injection in phpLiteAdmin. If you are logged into phpLiteAdmin, you can of course perform any SQL command. That is what phpLiteAdmin is made for. It even gives you a GUI to perform SQL queries in a comfortable way. No need to inject them via parameters.
As long as you cannot inject an SQL query without authenticating properly, any “SQL injection” in phpLiteAdmin is not a security vulnerability but a normal issue. If some table has a special name, e.g. containing quotes, we need to make sure the name is escaped properly so phpLiteAdmin works as expected. But this is not the case here: quote_id() will make sure every table-name will be escaped properly. No issue here at all.
#### (4) Exec SQL code :
------------------------
Go to :
[*] http://[target]/[path]/phpliteadmin.php?view=sql
-& put the SQL Code in the text-area (Run SQL query/queries :)
and click 'GO' to exec ;) .
LOL. That’s a really funny one. You might call this a vulnerability, I’d call it a feature.
Don’t you show yourself here that issue 3 is ridiculous?
So I am not sure if this exploit really was meant seriously or if it was meant as a joke. It made me laugh anyway.
I hope you enjoyed it as well. Keep on exploiting!

 

3. November 2012

phpLiteAdmin 1.9.3 released (security-update)

Filed under: DBMS,PHP,phpLiteAdmin,Security,Server Administration — Tags: , , , , , , , , , , — Christopher Kramer @ 00:45
Screenshot of phpLiteAdmin 1.9.3

Screenshot of phpLiteAdmin 1.9.3

Some minutes ago, I released the new version of phpLiteAdmin, a web management GUI for SQLite databases written in PHP. You can download it from our project site.

The new version addresses and mostly fixes lots of issues. Among these, one security issue has been fixed. Therefore, I’d recommend anybody using phpLiteAdmin to update.

A lot of work has gone into this release, fixing lots of bugs to make phpLiteAdmin more robust. For example, you can now have tables or columns containing special characters. The ALTER TABLE features have been partly rewritten so they now work a lot more reliable. And lots of other issues have been fixed. Thanks to anybody who reported bugs to the bug tracker.

If you still have any problems or suggestions, please let us know on our issue tracker.

30. June 2012

CrazyStat counting lots of hits / visits

Filed under: CrazyStat,PHP — Tags: , , , , , — Christopher Kramer @ 16:52

Lately, I got a screenshot of CrazyStat counting quite a lot of visitors and hits. With this post, I’d like to share it with you. It’s quite impressive to see that CrazyStat is able to cope with that many hits easily.

With 4 000 hits per day on average within the last month and about 17 000 visitors on 26th of June, I consider this website quite successful!

So how is your site doing? I’d love to see other screenshots of CrazyStat counting lots of hits.

 

CrazyStat with lot of visitors

Screenshot of CrazyStat counting lots of visitors

30. May 2012

Released: phpLiteAdmin 1.9.2 includes CSV import/export

Filed under: DBMS,PHP,phpLiteAdmin,Server Administration — Tags: , , , , , , — Christopher Kramer @ 15:54

As I wrote in March, I implemented CSV import and fixed export issues of phpLiteAdmin. This fixed phpLiteAdmin bug #71. I also wrote a small fix for bug #75. Today, new version 1.9.2 of phpLiteAdmin was released including both fixes. You can download it here.

I’d like to thank the phpLiteAdmin team for including my work and allowing me to join the team. I plan to address more issues of phpLiteAdmin in the future to push phpLiteAdmin a little further. There is still some more work to be done which I will have a look at once I find the time.

I recommend the new version to anybody using phpLiteAdmin (and also everybody who doesn’t yet ;-)). Please use the bugtracker in case you find any issues.

I hope some of you find the new features useful or are happy to see those bugs fixed.

Thanks again to the phpLiteAdmin team for the great tool and the opportunity to contribute to the project. Fortunately, I do not have to create a fork to improve the tool.

 

28. April 2012

CrazyStat 1.71 RC1 released

Filed under: CrazyStat,PHP — Tags: , , , , , , , — Christopher Kramer @ 20:31

Today I released CrazyStat 1.71 RC1, the first Release Candidate of version 1.71. As there have already been two beta-versions tested by some testers, I consider this release candidate quite stable. I expect that no or only small changes will be made for the final version. Therefore, I’d like to encourage all CrazyStat users to update CrazyStat to 1.71 RC1. It is very simple, as described in the FAQ.

So what are the major changes?

  • New languages: Russian and Danish. Thanks a lot to the translators Vladimir and Liza! I hope CrazyStat will be translated into more languages soon. It is really not much work. Please contact me if you are interested.
  • PHP4 support dropped. I removed all workarounds for old PHP versions. Now at least PHP 5.1 is required. If your host is still running PHP4, you should really update or change to another hoster. PHP4 is not maintained for quite a while now. Also support for old GDlib-versions was dropped (1.x).
  • You can now link the entries of the file-module to the files. See the config setting you need to set.
  • IP anonymization reworked. This is now turned on by default. See FAQ for more information.
  • Average and total visiting time in hits-module
  • New logo by kartoffelpfluecker (thanks!)
  • Improved UTF8-support
  • New Browsers (Firefox-Versions), Bots, Operating Systems etc.
  • Lots of (smaller) fixes, i.e. producing PHP notice errors or invalid (X)HTML
  • Fix of a bug that caused weird ordering of the days-module sometimes
  • Fix of a bug that made Chrome transfer passwords unencrypted and corrupt the password file when changing passwords using Chrome

So this is more a maintenance release, not a major whole new version. See history for more details (with CrazyStat’s new public SVN hosted on Sourceforge, you can even track every individual change).

I hope you enjoy the new version. You can download it here.

Tell me what you think about it in the comments. In case you have problems, please ask in the support forum.

Enjoy using CrazyStat!
Christopher

23. December 2011

Happy 6th birthday, CrazyStat!

Filed under: CrazyStat — Tags: , , — Christopher Kramer @ 13:32

Yesterday was CrazyStat’s 6th birthday. I didn’t find the time to blog about it yesterday, so here we go today: Happy birthday!

Every year when I congratulated CrazyStat to it’s birthday, I have a look at the last year. This year, I want to do this again. But this year, two things are different regarding my birthday congratulations: First, I congratulate in English. That’s because CrazyStat learnt English last year and nowadays, lots of CrazyStat users do not understand German. Second, I post the congratulations in my blog instead of in my CMS. As I already wrote, I will post things like news, tutorials and so on in the blog instead of the main site, as it’s more simple for me and allows better feedback.

So these are already two important things that changed within the last year. With the release of CrazyStat 1.70 (on CrazyStat’s 5th birthday), CrazyStat was available in English. This way, CrazyStat got lots of new users. This was also due to the fact that I could list CrazyStat on hotscrips.com now, one of the best script archives available nowadays (in my opinion). If you search for a script, I strongly recommend you to use hotscripts.

Soon after CrazyStat 1.70 release candidates were published, plaise.nl translated it into Dutch so the final version of CrazyStat 1.70 already came with a Dutch language file. As already posted, CrazyStat was now translated into Danish and so upcoming version 1.71 will be available in Danish as well.

Another important change within last year was the new design of my website. Thanks again to kartoffelpfluecker who created the new design for me. I think it’s very cool.

Besides of my brand new blog, I also started to tweet. I do not only tweet about what’s hot about CrazyStat, but also some interesting stuff for webmasters. Follow me here.

So what will happen in the upcoming year? I have big plans and hope I will find the time to realize them:

  • release CrazyStat 1.71 (soon I think)
  • work on CrazyStat 1.80 (mayor code changes)
  • blog more (stuff for webmasters etc.)
  • make development of CrazStat more open (bugtracker, wiki, public SVN etc.)

And I hope that CrazyStat will learn a lot more languages in the upcoming year. If you speak any language that CrazyStat does not support now, please contact me. It’s really not much work to translate it, and I will honour your work by mentioning you and linking to you.

Thanks everybody for using CrazyStat! Especially thanks a lot to everybody who donated. Unfortunately, not many people did this last year. If you like CrazyStat, please consider a donation.
And thanks to everybody who gave feedback and reported bugs. I really try to read all your mails and respond to everybody who contacts me, so please use the possibility.

Merry Christmas and a happy new year everybody!

2. December 2011

CrazyStat 1.71 changes & features

Filed under: CrazyStat — Tags: , , , , , — Christopher Kramer @ 21:24

As promised, some more news about what’s new in upcoming version 1.71 of my PHP visitor analytics script CrazyStat:

  • New language: Danish language file (as already announced)
  • New feature: Average and total visting time analysed (hits module)
  • New feature: The files in the files-module can now be linked to the page counted
  • New logo: CrazyStat has a new logo thanks to Kartoffelpfluecker
  • Privacy improved: Reworked anonymous IPs. Now “anonymous IPs” look like normal ones and keep the first two octets. This way, the visitor’s country can be detected by IP, but the IP is still anonymous as the last two octets can not be reworked. Now this is turned on by default.
  • New privacy feature: Optionally, CrazyStat now respects the “Do-Not-Track” header that some browsers send if the user tells it to. When this is turned on, hits by those users will not be logged at all. Note that strictly speaking, CrazyStat never “tracks” users (does not use cookies etc.) and therefore by turning this on, you respect your users’s privacy even more than they asked for.
  • Browser detection: new browsers included in the keywords file (all those new Firefox-versions…), IE8 and IE9 now correctly detected in compatibility mode.
    Note that this is already available for CrazyStat 1.70 from the download page
  • PHP4 support removed. CrazyStat no longer comes with workarounds for old PHP4 installations, so PHP5.1 is required. Please update to PHP5, as PHP4 is insecure
  • Language-cookie “lang” renamed into “CrazyStat_lang” to avoid collisions with other scripts
  • Decimal separators now language-specific
  • Fixed a bug that caused weird ordering of days in some months
  • Lots of smaller bug fixes like invalid XHTML and PHP notice messages

Please let me know your opinion about the changes. I know it’s not a lot of great new features but more a maintenance update.

30. November 2011

CrazyStat 1.71 will speak Danish

Filed under: CrazyStat — Tags: , , — Christopher Kramer @ 14:19

As you might know, as of version 1.70, CrazyStat is a multi-language script. Originally, CrazyStat was available in German only. But in 1.70, I translated the interface and documentation into English to make CrazyStat available to a broader audience. Soon after I published the first release Candidate of CrazyStat 1.70, somebody (plaise.nl) voluntarily translated CrazyStat into Dutch. So when I released CrazyStat 1.70 final, CrazyStat included language files for German, English and Dutch.

Now Liza Overgaard sent me her translation of CrazyStat into Danish. She did not only translate the user interface, but also the readme file and even plans to translate the FAQ and config-documentation.

So upcoming CrazyStat 1.71 will include a Danish language file and documentation. Thanks a lot to all translators for their work that helps to spread CrazyStat.

If you speak some language that is not yet supported by CrazyStat, it would be great if you could translate CrazyStat into your language. It only takes a few hours as CrazyStat does not have much text on the user interface. Of course your work will be honoured by mentioning you in the changelog of CrazyStat and in the news. I will even link to your website if you want, which will lead visitors to your site and create a lot of backlinks.

Please contact me, if you are interested in translating CrazyStat. I also need somebody who supports the Dutch translation as plaise.nl stopped translating open-source software and I need a couple of small texts translated that are new in 1.71.

Thanks everybody for using CrazyStat. Especially to all translators.

More news about the upcoming version of the analytics script CrazyStat 1.71 will be published here and on twitter soon. Stay tuned.