NOTAM: InfinityFree for phpVMS

NOTAM: phpVMS on InfinityFree Hosting

It has come to my attention in the last hour that InfinityFree no longer supports a function called unserialize due to serious security issues with it. We’re talking so serious you could take over their servers with it… so it was very important that it was patched ASAP. The downside is that phpVMS uses this function and now shows an error at the top of every screen. From what I can tell it has not affected any functions but am yet to look into exactly what it was being used for. I will update this thread as I have more information and look into a fix.

If you have any questions feel free to ask.


Update 2020-07-30

InfinityFree appears to have re-enabled the function, meaning all should be fixed.

19 Likes

So now do we need to pay for hosting?

I’m looking into it. I may be able to make a fix, I might not. But as far as I can tell this is a core part of the user authentication system and hence will take some time.

12 Likes

The crew center is inaccessible to my pilots now. They can’t log in. Hope this issue would be solved soon :/

1 Like

Thats weird I’m able to access my crew center and other VA’s crew center.

I can too. But some can’t as they’ve been logged out already. Once they’re logged out, they can’t log back in anymore.

Update @ 1330Z

…and 11:30pm local time but that’s beside the point.

I’ve managed to do some research on the reason for the change as well as how unserialize is used. Let’s start with the issue with it.

If given a bad (malicious) piece of data, the unserialize function can actually allow an attacker to execute their own code on the InfinityFree server. Naturally this is something that should be prevented as it can allow an attacker to access files and permissions they should not have. These vulnerabilities don’t affect phpVMS as far as I can tell but it’s hard to tell at this point. More on this to come.

To understand what unserialize does you have to understand what serialize does. The latter converts an object in PHP to a string (letters, numbers and symbols). Unserialize does the opposite, it takes a string and converts it to an object, but in doing so exposes the ability for things to be converted to objects that shouldn’t be. In phpVMS, unserialize is used to convert data that’s stored in a browser cookie (a term many people are familiar with - those things you get the warning about when you visit a site and click I agree without reading what you’re agreeing to) to an object that can be interpreted by phpVMS in a multitude of ways. It is for this reason that I believe a fix is extremely unlikely.

I’m continuing to work with a few of the affected VAs to get a better picture of what is going on here, but for now this is all I have to offer.

11 Likes

Here’s the issue. It says you must be logged in to access this feature, making the CC totally inaccessible.

1 Like

Is there any potential security threat to the device the crew center is being used?

Update @ 1400Z

I’ve got a lot to share this time around so I hope I can provide at least temporary relief from this issue.

Workaround

To the best of my testing, pilots are able to log in under the following circumstances:

  • phpVMS is running the CrewCenter skin. This is the one I show you how to set up in my tutorial here.
  • When logging in, you must tick the remember me box.
  • I’ve tested this as an admin only, but it should (key word should not be any different for normal users)
    The error message doesn’t disappear but it will allow you to log in. Not entirely sure why, but a workaround is a workaround, right?

Pilot Data & cPanel Access

No pilot data (accounts, passwords, PIREPs, etc) will be compromised as a result of this. Your cPanel access will also remain.

Alternatives

This is a host issue. Moving to a paid host is the best option. I won’t be answering any messages or replies on how to do this, but you don’t have to install fresh. You can choose to however, as you can import pilot data via the admin panel. You can also access old pilot data on the phpVMS admin panel if you are able to log in using the method described above.

Paid Hosting

If you are looking to go down the route of paid hosting, I highly recommend Hostinger. Their pricing is very competitive and with some (possibly all, memory is not its best at 12am 😬) plans you get a free domain. They also do offers very frequently, so a quick Google will likely find you a promo code to make it cheaper.

Security

Just to be clear, this change on InfinityFree’s side improves security. You are at no more risk now than you were before. If anything, your site is more secure, error message and login issues aside.

13 Likes

I am unable to log in to my crew center

Have you followed the steps above? Be sure to do exactly as described, for a temporary fix, until you are able to move to paid hosting, if at all.

If you are going for paid hosting, I’d highly recommend siteground.com. They are quite affordable as well and their support is awesome.

Hosting is not something I’d skimp on as a website owner.

3 Likes

Just a quick question. Is the security issue dangerous for the user using infinityfree?

Screen Shot 2020-07-15 at 1.39.29 PM

13 Likes

I got mine to work. But guys, if you don’t know OOP PHP and you try to do it, you can break your Crew Center.

1 Like

How did you do it?

3 Likes

Hey @KaiM so with the warning it says that the thing is disabled on like line 76, if we find that within infinity free or our FTP will we be able to re enable it?

If you wish to stop using infinity free. Use hostinger. They are very cheap and very reliable. Their service is fantastic as they respond to issues quickly.

Sorry wrong account ^^^^

@KaiM I have never had this many guests or users inline at once. Is this normal or am I getting hacked???