PHP Shoutbox help...

[EsOne]

So, my website uses ShoutPro. Well, today iw as looking in my file manager and saw the file "hey.php" in the directory of the shoutbox. I tried opening the file via my file manager, and it made FF stop responding. From what I did see of the code before it froze was milw0rm. I did some research and found that ShoutPro has a security issue, and that it can be used to remotely execute commands. I deleted all files related to it (which was only the hey.php and info.txt, which both had the same looking code in it)

 

I searched milw0rm and got the following link about the Shoutpro Exploit:

 

http://www.milw0rm.com/exploits/3758

 

I am pretty much a newish PHP coder, and do not know very much. Can someone put into dumb terms what this link is saying? What should I do to "sanitize" this code they are referring to?

 

Sorry if this is the wrong forum 

[beta0x64]

Oh boy. I'm sorry to hear that you've been compromised.

The recommendations state that you should...

1) Add code to perform strip_tags() on $shout in shoutbox.php

2) Prevent direct access to shouts.php with a .htaccess file

 

By "sanitizing" the input, they mean that shoutbox.php is allowing a user to do naughty things to your computer by running specialized code through your shoutbox application. This is a rather serious threat. I would change my root password, maybe even make a chroot jail for your website. Somewhere in the shoutbox code, you need to find out where the input is taken in and you need to perform a "strip_tags" on it to remove html, script tags, etc. that could be used to execute code through your application as if it was the original intent of shoutbox.