I'm so (un)lucky...
I wasn't playing FH for about 6 months.
Yesterday (for me, I'm from Poland ;P) - 15 July 2013 about 18:30 UTC (20:30 in Poland) I've visited FH website for the first time in months.
I've tried to sign in but instead, by accident, I've downloaded source code.
Something was wrong with the php parser:
http://www.feral-heart.com/index.php - worked fine
But anything with URL parameters, like:
http://feral-heart.com/index.php?option=com_jfusion&Itemid=2&jfile=index.php&topic=15759.0 and
http://feral-heart.com/index.php?option=com_alpharegistration&view=register&Itemid (link to the registration, found in google) - returned this:
<?php
//Turn SSL off
$url = "http://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
if ($_SERVER['SERVER_PORT'] != "80") {
header("Location: $url");
exit;
}
/**
* @version $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package Joomla
* @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/
// Set flag that this is a parent file
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;
/**
* CREATE THE APPLICATION
*
* NOTE :
*/
$mainframe =& JFactory::getApplication('site');
/**
* INITIALISE THE APPLICATION
*
* NOTE :
*/
// set the language
$mainframe->initialise();
JPluginHelper::importPlugin('system');
// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');
/**
* ROUTE THE APPLICATION
*
* NOTE :
*/
$mainframe->route();
// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);
// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');
/**
* DISPATCH THE APPLICATION
*
* NOTE :
*/
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);
// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');
/**
* RENDER THE APPLICATION
*
* NOTE :
*/
$mainframe->render();
// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');
/**
* RETURN THE RESPONSE
*/
echo JResponse::toString($mainframe->getCfg('gzip'));
I've tried the same thing with config.php (which contains login and password for SQL and FTP), and unfortunately - it worked. :/
I wasn't able to log in on FH forum, so I tried to warn Red, or anyone from the staff in the game.
Around 19:30 UTC (21:30 in Poland) Red and Shady were online on FH.
I was whispering to him, but he wasn't answering.
In the same time FH website went down with an error:
Database Error: Unable to connect to the database:Could not connect to MySQL
Some time later I've tried talking to Red again. I've asked him if he recived my messages, he replied something like "what messages?" and a few minutes later FH gameserver went down.
I was (probably, I didn't checked that) able to use the data from config.php to download SQL database, remove files by FTP etc, but I'm not a blackhat. I'm not even a hacker. I'm a webmaster that konws something about IT security, but not really much.
If I was able to do this - there's a pretty high possibility that someone, whos not a white-hat found this bug too and used it to download FH database.
So change your passwords, just in case. At least until anyone from the staff will check if anyone downloaded the database and give an official announcement about this.
And sorry for my bad english.
And please, don't ban me, nor remove this topic. I'm just trying to clear some things up.