Bug?

Let us know when something isn't working correctly, or if you find a typo. Do not post complaints or suggestions here.

Moderator: Mods

User avatar
Spintown
Rin-Tin-Tin
Posts: 365
Joined: Fri Oct 02, 2009 9:27 pm
Submitting as: Spintown
Contact:

Bug?

Postby Spintown » Wed Apr 20, 2011 4:57 pm

For a few days I couldn't visit the Song Fight home page without something attacking my computer. Seems to be better now, but it still does it when I try to view the results from the last fight. I don't see anyone else mentioning it in here, so was it just me having problems?
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Wed Apr 20, 2011 5:12 pm

"Without something attacking my computer" is a liiiiiiiiitle bit vague. Could you try posting a screenshot of what's happening, and maybe the page source?
User avatar
Generic
Owney
Posts: 5421
Joined: Sat Sep 25, 2004 11:45 am
Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass
Recording Method: Cubase 5AI, Cubase 6
Submitting as: Jon Eric, Hunky
Location: Pittsburgh, PA
Contact:

Re: Bug?

Postby Generic » Wed Apr 20, 2011 9:57 pm

Actually, Spud was just in the IRC room talking about a malware notice he got yesterday. So this is likely a known issue. Still, a little more specificity couldn't hurt.
"Warren Zevon would be proud." -Reve Mosquito

Jon Eric - Get your feel on.
Website powered by Spud's Amazing Website Machine.

Circle of Titles!!!!!!
User avatar
Spud
Scrappy Dappy
Posts: 4742
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Postby Spud » Thu Apr 21, 2011 12:13 pm

We believe that the malware issue has been resolved
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
bartok2112
A New Player
Posts: 7
Joined: Mon Sep 06, 2010 11:50 am
Instruments: Saxophone, Keyboards
Recording Method: Sonar 8
Submitting as: Cannibal Parrot
Location: San Jose, Ca

Re: Bug?

Postby bartok2112 » Thu Apr 28, 2011 2:30 pm

I just got the malware, fake antivirus thing again at 2:23 pm. It happened when I clicked on the Beaten Man link under last week's fight. I also received it this morning when I voted.

- Paul
User avatar
Spud
Scrappy Dappy
Posts: 4742
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Postby Spud » Thu Apr 28, 2011 9:27 pm

Sorry, I was under the mistaken impression that JB had done something besides change the passwords. I have cleaned up the code tonight. Please continue to post notices of any further problems.

SPUD
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
bartok2112
A New Player
Posts: 7
Joined: Mon Sep 06, 2010 11:50 am
Instruments: Saxophone, Keyboards
Recording Method: Sonar 8
Submitting as: Cannibal Parrot
Location: San Jose, Ca

Re: Bug?

Postby bartok2112 » Wed May 04, 2011 5:43 am

Ugh, it just happened again. This time. when I went to the main Songfight.org page.
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Wed May 04, 2011 8:33 am

Spud, it would be really helpful if I could get server access again so that I can diagnose how this exploit apparently keeps happening.
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Wed May 04, 2011 2:48 pm

I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)

If you're running WordPress, PLEASE PLEASE PLEASE make sure that you're running the latest version of that insecure festering shitpile, because there are some pretty widespread massive exploits going on against it right now. http://blog.sucuri.net/2011/04/mass-inf ... g-com.html has a bit more information.
User avatar
ken
Scrappy Dappy
Posts: 3267
Joined: Sat Sep 25, 2004 6:10 pm
Instruments: Guitar, bass, drums, keys
Recording Method: BLA modded MOTU 828mk2, Cubase 5, UAD-2
Submitting as: Ken's Super Duper Band 'n Stuff
Location: berkeley, ca
Contact:

Re: Bug?

Postby ken » Wed May 04, 2011 3:08 pm

fluffy wrote:I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)


HUZZAH!!!
Ken's Super Duper Band 'n Stuff - Berkeley Social Scene - Tiny Robots - Seamus Collective - Semolina Pilchards - Cutie Pies - Explino! - Bravo Bros. - 2 from 14 - and more!

i would just like to remind everyone that Ken eats kittens - blue lang
User avatar
Spud
Scrappy Dappy
Posts: 4742
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Postby Spud » Wed May 04, 2011 9:23 pm

Do I need to clean up again?
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Wed May 04, 2011 10:37 pm

What, did something happen again? I thought I'd cleaned up everything and disabled the obvious points of infection.
User avatar
Spud
Scrappy Dappy
Posts: 4742
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Postby Spud » Thu May 05, 2011 10:20 am

Yes, pretty much every php file was infected. Linked or not, in use or not. Html was fine. I just cleaned up again. Will continue to monitor.
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Thu May 05, 2011 10:50 am

fucking hell. must have been another infection I missed. The malware was VERY good at hiding itself, and I thought I found all the places it was coming up.

What was it infected with?
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Thu May 05, 2011 11:05 am

Found a pretty big security hole in songpage and artistpage which is being actively exploited by people. As always it's one of those things that PHP makes WAY too easy to fuck up on. Will put in a fix ASAP.
User avatar
Spud
Scrappy Dappy
Posts: 4742
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Postby Spud » Thu May 05, 2011 4:56 pm

fill me in off line, if possible, so that I can learn from this.

Thanks.
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Boo
Posts: 9446
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Bug?

Postby fluffy » Thu May 05, 2011 5:09 pm

Well, the main thing is something everyone should know about: include() and fopen() can both take arbitrary URLs as parameters, unless it's explicitly disabled in php.ini. Stupidest language "feature" EVER. My fix was to abort if it detects a :// in a key parameter.

I've audited all of the site-specific PHP and I think I fixed all the places where that could happen, but of course there's always the possibility of other stuff like that.

PHP really is a shitty language from a writing-secure-apps standpoint. Although I'd like to point out that if Songfight were database-driven rather than file-driven, it would be a lot easier to write code in a more secure way. Direct filesystem access is bad news in PHP.

Return to “Quality Control”

Who is online

Users browsing this forum: No registered users and 1 guest