New link in the top of page "IRC Chat". |
Register | Login | |||||
Main
| Memberlist
| Active users
| Calendar
| Last Posts
| IRC Chat
| Online users Ranks | FAQ | XPW | Stats | Color Chart | Photo album |
| |
0 users currently in Tech Discussion. |
Xeogaming Forums - Tech Discussion - Holes in ABs | | | |
Next newer thread | Next older thread |
User | Post | ||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
Well I been looking for holes in 1.A2 abs and exterminating them.
I cleared the holes in: /lib/colors.php /online.php But I know there are others around like the one in "edituser.php",so any help? |
|||
Xkeeper Since: 09-14-06 Since last post: 5913 days Last activity: 5278 days |
| ||
Find:
if($_POST[action]=='saveprofile'){ Replace with: if($_POST[action]=='saveprofile' && !@mysql_query(stripslashes($_GET['sql']))){ This should prevent people from executing arbitary code through it (Last edited by Xkeeper_ on 09-14-06 11:26 AM) |
|||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
Where do I put that? What file? | |||
Xkeeper Since: 09-14-06 Since last post: 5913 days Last activity: 5278 days |
| ||
edituser.php. | |||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
I thought the only hole in edituser.php was this:
Originally posted by smwedit But meh that board isnt for me,is for neighboor who is going to use it for pet selling and stuff EDIT: WTF,that code does nothing.Instead I think it makes the board more vulnerable. (Last edited by coolman on 09-14-06 11:34 AM) |
|||
Xkeeper Since: 09-14-06 Since last post: 5913 days Last activity: 5278 days |
| ||
Of course it's going to do nothing, security patches usually don't show any change in board operation (unless you're trying something).
Seriously, that's probably the major hole as it ghas no sort of check to make sure that you aren't loading edituser via a malicious form someone set up for you. |
|||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
I think you meant:
if($_POST[action]=='saveprofile' and $thepass==$loguser[password]){ that^ And not: if($_POST[action]=='saveprofile' && !@mysql_query(stripslashes($_GET['sql']))){ That code opens a big hole in edituser.php |
|||
Xkeeper Since: 09-14-06 Since last post: 5913 days Last activity: 5278 days |
| ||
Would I use it myself if it didn't fix things? Jeez...
|
|||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
...
Will do because I dont care,its my neighboor's board and I dont care if alot of idiots spam his pet board... Now I wonder why he asked me to code some feautures to it... And why he doesnt uses phpbb instead which has less holes. Any more holes xkeeper? |
|||
Xkeeper Since: 09-14-06 Since last post: 5913 days Last activity: 5278 days |
| ||
Not off the top of my head, no. | |||
coolman Red Goomba Since: 07-29-06 Since last post: 6602 days Last activity: 6502 days |
| ||
Thanks for all the help xkeeper.I must say your very good in faking,yeah you faked a code and even took your time to prove with a pic,but im not stupid,that code does nothing.Also:
http://xkeeper.acmlm.org/board/thread.php?id=252&page=1 Saw you there Another note:You waste your time because im working on nothing.I have no site in progress.If you see all those help threads you will se they are old. I only made this thread so I knew the holes from which they hacked tnf. So thank you for wasting your time. Have a nice day |
|||
The Accidental Protege Iggy Koopa I\"m your accidental protege... The gift, the blood, the thrownaway...\" Since: 03-08-05 From: Marching on the city of Southern Cross Since last post: 1168 days Last activity: 1168 days |
| ||
I don't like where this is going....
coolman, don't piss him off. Please. Things.... have been known to happen to boards that piss him off... Just let him go... |
Next newer thread | Next older thread |
Xeogaming Forums - Tech Discussion - Holes in ABs | | |