iDesk Hacked!!!!

[FSGDAG]

It would seem that since iDesk went Open Source, all the kiddie hackers have found flaws in it... NiceCoder's Support site has been hacked and so has mine ( IndexU Hostings ).

If / When a fix has been found, PLEASE post it here!

[Bruceper]

I have deleted iDesk from my site due to this exploit.

It appears to be an SQL injection attack. More details can be found at the URL below

Nicecoder iDesk 'download.php' SQL Injection Vulnerability

Since iDesk is "open source" I would not expect to see a fix for this from Dody.

[Bruceper]

Super simple solution?

Delete download.php

On another note, this issue was published on September 10 2009. Since iDesk was commercial software at that time, I would think Nicecoder is obligated to fix it.

- Home (Powered by iDesk) <- 0wned

Now the big question is, what is Nicecoder going to do next? A public announcement? Forensic auditing to determine if any personal data was lost such as FTP logins, administrator passwords, possible billing information, personal information, credit monitoring?

I know what happened to my installation and what happened to my data, but I won't say until I hear from Nicecoder. I want to know Nicecoder is going to do and when they plan on doing it.

[FSGDAG]

Well put it like this... I'm not trying to be negative, but if NiceCoder did decide to not plug the hole, then they might as well just remove it off the website and can it all together. No one is going to use or continue to use a product that's got a major hole in it. Especially when the hole is publicized.

[dody]

According to GPL license term:

15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

However I will check this issue seriously. At the moment I disable the idesk download link.

[dody]

According securityfocus report, a quick fix would be deleting download.php file.

[dody]

It is for 1.6.4. Extract and upload to /lib/core/
It will eliminate sql injection.

Please report me back if you have some errors.

[Bruceper]

Sorry, I never agreed to the GPL license so it doesn't apply. I agreed to the Nicecoder terms when I purchased the software at the beginning of my employment with Nicecoder. In fact all of my downloads of iDesk and all other Nicecoder software were downloaded when they were commercial software with a Nicecoder license.

Sure I got the coupon code at the time of my purchase, but the applicable license here is at my last download date.

Please tell me what, if any, remedy you will be applying for this situation.

Additionally, I do appreciate the quick fix, but for me it came too late and iDesk has already been removed.

[ekirbiz]

Hey always i am criticizing nicecoder support (not scripts).
But this is a free script and can have exploits or injections.
Now idesk can be available for a safe use?

[gspinney]

Well it was FREE for you ekirbiz, somehow I got scammed into buying this software, then finding out later it went open source.

Seems nicecoder/indexu has slacked. Time to look for new scripts and steer clear in Indexu products.

You guys had a good run, now your support and scripts have fallen behind.

[gspinney]

My iDesk was "hacked" (using the word loosely) into and a few pages changed, but because the majority of my site was custom to begin with, not much was changed.

Further, "hacked" - gaining access to a web site by an exploit is not hacking. It's just GAY childs play and anyone can do it. Someone has way to much time on their hands and would seriously suggest you find a "real job."

Bibi-inf@hotmail.com // Dz8@HotmaiL.CoM // HackeD By Dz05 // hacked by bibi info & madjix

The thing that I am pissed off at is Indexu didn't bother to send out a mass email to inform people who actually paid money for this script of this exploit. This clearly shows me one thing, Nicecoder just wants your money, once they have it you can F*&K right Off.

Dody, you should never have sold this business.

[dody]

We could not continue to support idesk, nicetalk and nicemember. So we make them free and GPL.

[tina90]

Awesome work, just keep it up

[gspinney]

Awesome work, just keep it up

What Total one post for tina90. Point to brown noser.

The scripts are great, just the support has tanked lately.

Fixed the problem too...

Now anyone been getting hack attempts on indexu?

/js/local.jstype=text/javascript
blocks/block.whos_online.php

[dody]

I'm glad the problem solved.

What Total one post for tina90. Point to brown noser

She is not a fake user.

Now anyone been getting hack attempts on indexu?

It is secure.

Btw, what is your website, sorry I forgot. I know you bought indexu 7 years ago.