djgary72 Posted July 24, 2014 Share Posted July 24, 2014 OK so first off I'm not SAM Bashing! I saw a tweet yesterday about the SAM broadcaster PHP templates having a security issue. Where a malicious user could hack and deface your website. http://djgarybaldy.co.uk/wp-content/uploads/2014/07/Screenshot-230714-161640.png http://djgarybaldy.co.uk/wp-content/uploads/2014/07/Screenshot-230714-203901.png I'm not 100% sure as to what the problem is but as you can see from the attached pictures a firm Called Acunetix are rating the SAM Broadcaster PHP website templates as at risk. I've tried making Spacial aware of the issue but they probably won't take the blindest bit of notice. The original article written in Dutch is here. http://www.requestserver.nl/?p=Nieuws 2nd item down the page. I would advise being careful using the PHP website templates until Spacial announce a fix for it. You really don't want to be putting your PC at risk of attack now really do you? My Blog https://djgarybaldy.blogspot.com User of RadioDJ FREE radio playout software since 2010. How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html RadioDJ is my FAVOURITE piece of software it works when I need It Link to comment Share on other sites More sharing options...
SlamminTunes Posted July 25, 2014 Share Posted July 25, 2014 I'm super curious what the exploit is. Id hate to have to switch to the html pages while spacial comes up with a fix Link to comment Share on other sites More sharing options...
djgary72 Posted July 25, 2014 Author Share Posted July 25, 2014 I'm super curious what the exploit is. Id hate to have to switch to the html pages while spacial comes up with a fix i currently awaiting the full report via email from the author directly. As soon as i have any more info I will be updating things. Aas it stands i'd be careful using SAM PHP for requests for the time being this is the second flaw that's been noticed in the SAM Broadcaster request system. There was one a few months ago that someone had picked up on which I did a blog post about. http://djgarybaldy.co.uk/sam-broadcaster-request-server-security-flaw/ So far the original author hasn't even had a reply from Spacial either so when it's likely to be fixed is anyones guess. You can bet your bottom dollar they will charge people for the fix! My Blog https://djgarybaldy.blogspot.com User of RadioDJ FREE radio playout software since 2010. How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html RadioDJ is my FAVOURITE piece of software it works when I need It Link to comment Share on other sites More sharing options...
SlamminTunes Posted July 25, 2014 Share Posted July 25, 2014 Interesting post Gary and thanks for the info. After reading the post I realized I have my requests and broadcaster setup totally differently with the request and sql ports blocked (closed for traffic incoming and outgoing) I've always wondered about direct sql injections from the pages but haven't tested that and I suspect that's part of the flaw. Link to comment Share on other sites More sharing options...
djgary72 Posted July 25, 2014 Author Share Posted July 25, 2014 The report arrived a bit quicker than I was anticipating http://www.mediafire.com/view/hnvywovh4yovlsk/Sam_Brodcaster.pdf Is the report done by www.boann.eu I haven't had time to read the full report as of yet that's why i'm sharing it via here. Grab some coffee as it's 38 pages long. They sent me 2 .pdf files the other one lists the vulerabilites on the actual Spacial website. That can't be good for business a website that's full of security holes. Someone brought this to the attention of the SAM broadcaster forums and two of the moderators over there have just called me a liar! How can it be a lie if the .pdf detailing the security issues wasn't written by me ?? I give up I really do. My Blog https://djgarybaldy.blogspot.com User of RadioDJ FREE radio playout software since 2010. How to Install RadioDJ: https://djgarybaldy.blogspot.com/2020/08/how-to-install-radiodj-free-radio.html RadioDJ is my FAVOURITE piece of software it works when I need It Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.