Tibetan and Himalayan Library - THL

THL Toolbox > Developers' Zone > Servers & Storage > Security to Prevent Hacks

Security to Prevent Hackers from Accessing SPT and old A-V DBs

Contributor(s): Andres Montano, Steven Weinberger

A-V database, Hacked 11/21/2012

IP address of hacker: 183.5.132.244 Guangzhou, China)
Used "acunetix" in data added to db. Online sale of generic drugs

The following file names were changed to close the holes used in sql injection attack that the hackers used to gain access to db (and in particular to the users table):

login_do.php-20121121_SECURITY_LEAK
staffmembers_admin.php-20121121_SECURITY_LEAK
add_formfields.php-20121121_SECURITY_LEAK
add_rem_stuff.php-20121121_SECURITY_LEAK
emailer_do.php-20121121_SECURITY_LEAK

These files need to be sanitized:
/avarch/mediaflowcat/framesets/view_transcript.php
/avarch/mediaflowcat/project_tree.php

Scout Portal, Hacked 11/20-21/2012

IP address of hacker: 183.5.132.244 Guangzhou, China)
Used "acunetix" in data added to db. Online sale of generic drugs.

The following file names were changed to close the holes used in sql injection attack that the hackers used to gain access to db (and in particular to the APUsers table):

SPT--RequestAccount.php-20121121_SECURITY_LEAK
SPT--RequestAccountComplete.php-20121121_SECURITY_LEAK
SPT--UserLogin.php-20121121_SECURITY_LEAK
SPT--DBAddField.html-20121121_SECURITY_LEAK
SPT--ExportUsersExecute.html-20121121_SECURITY_LEAK
SPT--AddControlledNameComplete.html-20121121_SECURITY_LEAK
SPT--AddRecord.html-20121121_SECURITY_LEAK
SPT--DBEntry.html-20121121_SECURITY_LEAK
SPT--EditControlledName.html-20121121_SECURITY_LEAK
SPT--ExportDataExecute.html-20121121_SECURITY_LEAK
SPT--ImportDataExecute.html-20121121_SECURITY_LEAK
SPT--PurgeSampleDataExecute.html-20121121_SECURITY_LEAK

Provided for unrestricted use by the Tibetan and Himalayan Library