Virtual War is a FREE PHP Clan CMS
Virtual War Security
Virtual War suffered a lot from public exploits and bad maintenance in the past.
There are several public exploits availbe which where not fixed due to the lack of developers. It even came to our attention that some hosting companys forbid their customers the use of Virtual War due to security reasons.
Since August, 2008 vwar is developed by a new Pubsliher with a lot of expierence in web application security related isses. Highest priority is to make Virtual War safe to use again.
The next version will fix all currently known security related bugs so that everyone can safely install Virtual War again.
We will also convert Virtual War to run with PHP 5 only and we will include ( http://php-ids.org/ ) which is a pretty nice security tool.
Currently the usage of Virtual War is dangerous and should only be considered
by people who know what they do.
Anyhow you can follow some steps to strongen your security untill our next security focused release is published.
Delete directory /convert and /install
For security reasons it is VERY important that you delete the folders /convert and /install after you installed Virtual War. With the next Version we will check if the directorys are deleted, but we won't release this before we are done.
Avoid PHP Remote Code Injection
A common Exploit occurs if people did not deleted the convert directory. The attack is called PHP Remote Code Injection. This attack allows an Attacker to load PHP-Code beeing loaded from an other Server and executed within your Server.
We are aware of the problems within the Virtual War- sourcecode and will fix them with the next release. Meanwhile you can disable the settings in PHP which allow remote Code including.
Thoose are
allow_url_fopen = off (PHP4 & PHP5)
and
allow_url_include = off (PHP5)
If you are running PHP <= 4.3.4 you can set allow_url_fopen in an .htaccess file.
Just create a .htaccess file within
your Virtual War Root Directory and add the following line:
php_value allow_url_fopen off
If you run a PHP Version above PHP 4.3.4 you have to make the setting
in your php.ini or ask your hosting provider to do so.
If you are running PHP Version 5.0.0 or above you have to set
allow_url_include = off in your php.ini or ask your hosting provider to do so.
New at vwar.de ?
Take the tour to see what this is all about.
The screenshot page section gives you a fast overview.
Download vwar
Current version: VWar 1.5.0 R15
Security
We take security issues very serious.
Please visit our security section for all security related issues.
Design Showcase
Do you have a great Website using vwar?
Show it to others!
