My phpld was hacked yesterday, according to my host. I am unsure how, and have ask my host to investigate.

This would be the first known incident of something like this. Please PM me if you find out any specifics. Obviously, please don't post specifics publicly.

Well, it was definitely hacked. I won't give out the specifics here, and have sent you a pm.

it's happend to me 2x now - but I am not figuring out how it was done. I'm getting irritated having to reinstall the script.

How vulnerable is phpLD to sql injection and email injection?

http://www.google.com/search?hl=en&q=sql+injection
http://en.wikipedia.org/wiki/SQL_injection
http://www.google.com/search?hl=en&lr=&q=email+injection

For example: Is it possible for spammers to abuse the submit form to send spam mails?

These are really important questions. Would like to know the answers before I will buy a copy of php link directory 3.

Thank you!
Wolfgang

Guys, I just want to go on record that my phpLD was not the entry point for the hacker. he actually entered into a different domain that was running Article Dashboard. he was able to gain shell access, and since my phpLD is on the same server, he was able to write to it with shell access through another domain.

Re: SQL Injection

My mods take this into account, and taint check input - particularily ID as it is what is normally only passed to SQL. I believe the [Rating] mod does not - I updated mine awhile back (when I downloaded the mod, and looked at the code) to taint check ID. Look at your scripts for variables passed in SQL statements. Make sure that they are checked and/or escaped.

And how safe is phpLD itself - without any mods?

I don't see any obvious problems, but I have not looked at all of the scripts in detail. David may want to consider a third party security audit - along the lines of what they did for phpBB. But, hundreds are using the script with no real problems - one here mentioned was as a result of exploit of another script on another domain on same box.

I might mention that 3.0 does have some security enhancements including encrypted admin password, and ... oh, I forget the name .... but it prevents people from creating a url that contains code (wouldn't take your own site down).

With mine - I do not know the entry point. I know that nobody entered my control panel to mess with it, and I don't have shell access & I had my web host check for any thing out of the ordinary & they couldn't find it. The hacks have not enterd my database, as all info is as I entered it, but to be on the safe side I've changed my database login info for phpld.

What changed was some files were added & some files modified - I will not explain here, but if there's someone who works on the development of this then I'll put together a text file or send you the stuff that was modified.

I don't remember reading whether the /install directory is supposed to be deleted after installation is complete. Should it, and is there any other files that should be deleted or chmod'ed differently to avoid any security problems?

Content visible to registered users only.

You do need admin access to visit the install directory (after installation), so I believe it to be pretty safe, but I guess it never hurts t delete.

I CHMOD the config.php back to 644 after install is complete and also it is good to download the config.php file back down onto your hard drive after install, as it has been changed.

Good advice. Thanks

Another security suggestion to the developers is to revise the phpLD script not to execute if it detects if config.php is world writable, and if the install directory still exists - spit out message on what to do (e.g., delete install directory). As well as do other checks. Along the lines as other scripts like phpBB.