I got a comment today which contained a meta refresh tag which gets executed everytime the site is viewed. The result was that everytime the site is viewed it redirects in 1 second to a "defaced" image.This is a terrible and old vulnerabilty with comment systems, I am simply amazed that there is no checking for html (or even php?) tags in the comment system in pixelpost. I have used pixelpost for over 2 years now and I have always assumed that there was some sort of safeguard against this sort of silly thing.

If you are wondering, yes, I am upset about it, but I just wanted to raise this issue in case it has happened to other people. The fix is quite simple, just go to the database and delete the comment from there (there is no other way!). Thanks.

Well I am fairly pissed at such noob grade programming but I am pissed with myself as well for not having noticed that this was before :(

Will post a patch in a while which allows some basic HTML while stripping out everything else... unless of course some dev is kind enough to do that

There seems to be a rash of these "defaced" comments today targetting pixelpost sites. What a pain in the bum.

I got hit with this too. Here's how to manually delete the comment from mysql:

at the command prompt,

mysql -u root -p
show databases;
use pixelpost;
select * from pixelpost_comments;

here you'll see the list of comments. the last one will look like this:

| 257 | 260 | 2006-01-26 23:21:06 | 123.123.123.123 |<META http-equiv="refresh" content="0; URL=http://images6.theimagehosting.com/defaced.gif"><br />
| hacker | | | yes |
+-----+-----------+-------------- (edit: and a whole lot more -'s and +'s)

that first number (257) is the ID which you'll want to use for the next command.

delete from pixelpost_comments where ID=257;
(again, replace 257 with your ID number)

-Ariel

Yeah, I just got one of those comments, too. What a pisser!

Alright, whoever is doing this is lurking in the forums, too. I just deleted my comment span from my database manually and then got another comment. This time it was a screenshot of this thread with the message, "STFU nOOb!"

How soon can you get that patch ready?

heh, i got that too.

Currently Active Users Viewing This Thread: 5 (2 members and 3 guests)

Great...now I'm really getting hit.

Make it so that comments need to be moderated.
Block their IP. (will only help so much, but still)
Add http-equiv="refresh" to your comments black list

put $comment_message = strip_tags($comment_message);

In the function print_comments in file includes/function.php after the line $comment_message = pullout($comment_message);

And to the script kiddie if you have finished wanking on your exploits go figure how you can beat this - there are atleast 5 ways I can think of - show us how good you are :P

Also next time you try such stupid stuff try to mask your trail a bit I have got you mapped dude but for the time being I am not doing anything against you

And to all the devs - it is high time we pulled our act togather

I blocked the IP addresses (from Montevideo, Uruguay). I also updated my comments blacklist. However, how do you set comments to be moderated?

se.nsuo.us, thanks! I've updated the functions.php file, too. Hopefully I can go to bed now and wake up worry free. :)

To moderate comments, go to Options, then under the General section, there's an option for Comment Moderation near the bottom.

I blocked the IP addresses (from Montevideo, Uruguay). I also updated my comments blacklist. However, how do you set comments to be moderated?
Heh looks like the idiot got wise after I posted a comment at my site - blocking IPs wont help for the time being BUT I do have his original IP

Come on kid - hit me

To be able to see these comments in the admin interface open the file comment.php and change the line<b>$message</b><br /> to <b>".htmlentities($message)."</b><br />

Please post a message here when you come up with a fix.

Is this a probem in all versions of Pixelpost, or just in older versions? I think I'm still on 1.4.1 or 1.4.2...

For those of you with PHPMyAdmin, you can use that to open your database, click the link for your comments database, and then edit/delete the comment from there. It may be easier to find the comment by sorting your comments in ascending (or descending?) order first.

I think I'm still on 1.4.2 also, so comments.php isn't there? Ahhh...must upgrade.

Update: Found it in the index.php file.

i just got the comment too...
how do I delete it? going into the comments in the admin section also send me to the red Defaced image...

Edit
ok i see, going directly to the database.

we are aware of that and in the next release of PP it will be stopped

with 1.4.3 we did a lot of stopping comment spam and there was a lot of discussion on that but nobody brought this up to our attention, awareness just grows when shit happens unfortunately

Here's a message NOOB left me in one of the comments (asking me to pass it along)...

Dude.. im using a proxy. Send this message: I dont want to destroy anything. Im am not a bad person. If you noticed i dont get the db info or conect o it. Thats is easy to do. I just want make noise. So that, the pixelpost staff develop an stable photoblog script. So.. this all folks. Im not mess more whit you, i send my message. I will work to improve the pixelpost safety. And you will know ans the same you know the bug. See ya.
by noob -

I'm going to bed...it's 1:17AM here on the East Coast. Thanks all for your help!

Thanks noob - you will get more fame by publishing security advisory with exploits. Doing what you have done just makes people who are not PHP/Programming literate think that you are a jerk!

Looking forward to your constructive contributions to the community :)

I also have this stupid "defaced" picture! I try to fix it. How can I block IP in admin or were to do it? This message came from IP 200.83.15.18

For the comment with defaced image you can put "defaced" in the pixelpost anti-spam interface in addon section.
I have the pixelpost 1.5beta1 and i think this is a good choice to not allowed html in comment

put $comment_message = strip_tags($comment_message);

In the function print_comments in file includes/function.php after the line $comment_message = pullout($comment_message);



works perfectly, thanks a lot, se.nsuo.us!!!

yeah i too got hit. anyhow-- thanks ariel (waddup!) for the mysql code.

just incase someone is a little confused and they're running phpmyadmin--
just find your pixelpost_comments table and then run
SELECT * FROM `pixelpost_comments`
which shows every comment. then just find the one that has the meta info in hte comment. prolly the most recent.

ariel has direct access to his server so his directions were for if you can get to its console.

i got hit too...

thanks for the help in here everyone, really cool to see the community pulling together!

we're working out a final patch at the moment for 1.4.3 and 1.5b so stay tuned

works perfectly, thanks a lot, se.nsuo.us!!!
Welcome, a more complete solution is htmlentities(strip_tags(trim($comment_message, "\x7f..\xff\x0..\x1f")), ENT_QUOTES);

just another possible(?) solution..

take the first example from http://at2.php.net/manual/en/function.preg-replace.php
replace the line
$text = preg_replace($search, $replace, $document);
with

$message = preg_replace($search, $replace, $message);
and put in into the "SAVE COMMENT" section in index.php above the if statements
so the whole javascript and META stuff doesn't make it into the db

i'm defeaced too :(

Welcome, a more complete solution is htmlentities(strip_tags(trim($comment_message, "\x7f..\xff\x0..\x1f")), ENT_QUOTES);

nice work sensuous.
i'm personally using this function:

if ($comment_message != "good photo!") {
$comment_message = "good photo!";
}

that seems to solve most comment problems!



by the way, this IS a joke.
can't believe i missed all the excitement.

shit ... you have to type a code to add comment on my page and it still went through ? does it mean somebody is doing this manualy ??

ps. I just deleted the whole entry :-)

if ($comment_message != "good photo!") {
$comment_message = "good photo!";
}

that seems to solve most comment problems!


ROFLMAO - must implement that

hi there,
I wanted to tell you that I'm montoring this and I've received the same commets as well. I'm testing the fix patches...

I use html in comments, just for img src (smileys).
I read the above solutions but I can't understand very well... can anyone give me a solution which saves polite html? :)
thanks

I just got hit as well. Thankfully, my comments are hidden until clicked, so it isn't as bad as it could have been.

1) How do I make them moderated?
2) Where do I add refresh to a black list?
3) How do I edit my MySQL database?

My web programming/design skills are somewhat limited (hence, why I'm using Pixelpost) so I'm going to need some help here, please.

1) if you're using pixelpost 1.5b it's in your control panel.
2) should be in the addons section..
3) if your host provides phpmyadmin you can use that, if you want rid of the comment i posted a quick script to delete it somewhere around here.

Dammit! I just got hit, too!

Where does this line go:
htmlentities(strip_tags(trim($comment_message, "\x7f..\xff\x0..\x1f")), ENT_QUOTES);

(I'm using v.1.4.1 it seems. I guess I should upgrade?)

Thanks All - excellent help!

Yep I got hit with this one.
Installed 1.5beta and running blinking8s new function.php. (thanks btw)

You dont have to use any msql to delete the post (if your fast enough)

With it using a refresh, just hit "STOP" on your browser as its loading the comments section in the admin page, if you time it right you will prevent the meta refresh.....then just click delete.

Thats how I got rid of it.

cheers

I got nailed too... I used the functions.php fix and it works beautifully, but I'm still using 1.4.2 and don't have a comment.php file. Time to upgrade!

Let me thank the gurus for posting such quick and easy fixes. You guys are awesome.

Andrew

Not sure if anyone noticed, but it's not a bot or script that is automatically doing this. So, IMHO, removing comments with the word 'defaced' and such won't work since this is a human posting these and, if he's smart enough, he'll just use a different word like 'hotdog' or something.

I shut down my comments to prevent any further attacks. I didn't notice anyone else suggesting that solution. I'm all for a patch, but I needed something immediate, so I disabled the comments (temporarily) altogether. I should have mentioned in my post from yesterday that he identified Pixelpost specifically, so, he IS targeting PP Blogs. He's also probably grabbing his next target from these forums.

For those of you with hosting that has cPanel (control panel) access , you can access the MySQL Databases icon, then at the bottom of that database page, there is a link to phpMyAdmin. You should probably backup your database before you modify it, but that's a different lesson. Click the phpMyAdmin link and it will bring up a new window. In phpMyAdmin, find your database from the dropdown, select it and it will display a listing of your tables. BROWSE the pixelpost_comments table. This will list all the comments made on your site. At the end should be the last posted (and probably offending) comments. Select these and delete them (there's icons for all that). Close your browser windows when finished.

Just trying to help.

eric (took a guess at your name).
my script that deletes "defaced" was just to clear up leftover comments after the various different solutions to the problem had been applied.

he's a real person yes, and hopefully if he's reading then he knows that he's made his impression with us, we're fixing it. hopefully he won't feel the need to upset any more users.

Thank you all for your efforts and the discussion. It is definitely something that is very annoying, but I would like to particularly thank sen.suo.us (pardon me if there is a typo in there) and others who promptly joined the discussion for posting a quick and working fix. Just to reiterate my point, I am not angry at anyone, just the kid who did the defacement. He was just a kid who wanted to show off (typical of 14 y.olds!), we should feel sorry that he did not get enough attention from his folks.