Today I'm writing about webspell, this script is an advanced (but leak) script for clans and can be downloaded from http://cms.webspell.org, which I advice you NOT to do!

I used this script for a few years for customers but this all changed when my host started bugging me about spam sent with the mail script from my site, which I of course didn't know. The mail script was hacked so that no-one saw the hacked version, the only way to see it is in your stats which I did with Extremetracking.

The spam mails are sent to the main email-account of your domain-name account so they can easily be accessed by the hacked mail script. I had to look at an account of a customer and he reached his disk space with 50mb web space used on his web space, so I started sniffing around in the control-panel and saw the main-mailbox used up 500mb space!! I didn't know what all the email messages were, it couldn't be all plain text images because you'll need ALOT of emails to reach 500mb, so there had to be spam mails with images/files too.

But this is not all what's lacking of security in Webspell, also the user-system and the script overall can be easily hacked with a mysql injection. The hack that seems the most popular on webspell is to hack the user-system thus knowing the admin log in and screwing around with the templates!

At the webspell team they made some changes to the code but they never fix the security leaks! At least not the big ones, all they focus on is to have more functions. Oh right.. the thing that is pretty nice in the new version is the security image on forms (Guestbook, comments etc). But this doesn't stop the mail-spam I told you earlier, which is MUCH bigger problem.

If you got a dodgy host you won't have problems with your host bugging you because they just don't know they are victims of spam! So if you get a good host, get someone to code a site for you or download a good CMS, something like joomla or phpnuke.