Jump to content

SAM Broadcaster PHP Template security issues.


Recommended Posts

OK so first off I'm not SAM Bashing!

 

I saw a tweet yesterday about the SAM broadcaster PHP templates having a security issue. Where a malicious user could hack and deface your website.

 

http://djgarybaldy.co.uk/wp-content/uploads/2014/07/Screenshot-230714-161640.png

 

http://djgarybaldy.co.uk/wp-content/uploads/2014/07/Screenshot-230714-203901.png

 

I'm not 100% sure as to what the problem is but as you can see from the attached pictures a firm Called Acunetix are rating the SAM Broadcaster PHP website templates as at risk.

 

I've tried making Spacial aware of the issue but they probably won't take the blindest bit of notice.

 

The original article written in Dutch is here. http://www.requestserver.nl/?p=Nieuws 2nd item down the page.

 

I would advise being careful using the PHP website templates until Spacial announce a fix for it.

 

You really don't want to be putting your PC at risk of attack now really do you?

My Blog https://djgarybaldy.blogspot.com

User of RadioDJ FREE radio playout software since 2010.

How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html

RadioDJ is my most FAVOURITE piece of software EVER

 

 

Link to comment
Share on other sites

I'm super curious what the exploit is. Id hate to have to switch to the html pages while spacial comes up with a fix

 

 

i currently awaiting the full report via email from the author directly. As soon as i have any more info I will be updating things.

 

Aas it stands i'd be careful using SAM PHP for requests for the time being this is the second flaw that's been noticed in the SAM Broadcaster request system. There was one a few months ago that someone had picked up on which I did a blog post about.

 

 

http://djgarybaldy.co.uk/sam-broadcaster-request-server-security-flaw/

 

So far the original author hasn't even had a reply from Spacial either so when it's likely to be fixed is anyones guess. You can bet your bottom dollar they will charge people for the fix!

My Blog https://djgarybaldy.blogspot.com

User of RadioDJ FREE radio playout software since 2010.

How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html

RadioDJ is my most FAVOURITE piece of software EVER

 

 

Link to comment
Share on other sites

Interesting post Gary and thanks for the info.

 

After reading the post I realized I have my requests and broadcaster setup totally differently with the request and sql ports blocked (closed for traffic incoming and outgoing)

 

I've always wondered about direct sql injections from the pages but haven't tested that and I suspect that's part of the flaw.

Link to comment
Share on other sites

The report arrived a bit quicker than I was anticipating http://www.mediafire.com/view/hnvywovh4yovlsk/Sam_Brodcaster.pdf

 

Is the report done by www.boann.eu

 

I haven't had time to read the full report as of yet that's why i'm sharing it via here. Grab some coffee as it's 38 pages long.

 

They sent me 2 .pdf files the other one lists the vulerabilites on the actual Spacial website. That can't be good for business a website that's full of security holes.

 

Someone brought this to the attention of the SAM broadcaster forums and two of the moderators over there have just called me a liar!

How can it be a lie if the .pdf detailing the security issues wasn't written by me ??

 

I give up I really do.

Edited by djgary72

My Blog https://djgarybaldy.blogspot.com

User of RadioDJ FREE radio playout software since 2010.

How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html

RadioDJ is my most FAVOURITE piece of software EVER

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...