MuWeb 0.8 (Hack Fixed, 21.04.2008) - updated

Quote:

---

Originally Posted by LoveGod

Eng: Fantoma you are a motherfucking bullshit rapist without future i fuck your mom in all 69 positions you fucking asshole. Show me what u did since u born u motherfucker, not in 100 years can u do what =Master= did! i fuck myself into your mum and all your gipsy family

Ro: Fantoma esti un futator de mama cacat impushcat violator fara viitor, ma fut in mata in toate 69 pozitii gaura in cur fututa ce esti. Arata-mi ce ai facut tu decand te-ai nascut futatorule de mama, nici in 100 de ani nu poti face ce a facut =Master=! ma fut in mata si in toata familia ta de tigani

---

en: lol
ro: :))

EN: i think he have right :P (lovegod)
RO: cam are dreptate lovegod si master,fantoma fura lucrari si si le insuseste si ii mai si face noobi pe aia care le face cu adevarat,fantoma,dak master ii noob tu la ce stadiu esti,undeva pe la vierme ?

Admins please delete this post ! It is evil ^^
P.S. Things are getting ugly lol ^^

working this inject index.php?news='';shutdown;-- ! please fix it! And woking others op what is selecting from DB. Thx!

FIXED:

I was need to change in web_modules.php this:

Code:

---

function modules(){
      if(isset($_GET['op'])){
        $op = $_GET['op'];
                $g = chr(92);
        $op = str_replace($g , "", $_GET['op']);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
      if (is_file("modules/".$op.".php")) {
                  include("modules/".$op.".php");
       
      } else {       
                require("config.php");
                Echo ("<br>$warning_start Module $op Could Not Be Found By MuWeb! $warning_end<br>");
      }
  }
}

function user_modules(){
      if($_GET['option']) {
        $op=$_GET['option'] ;
                $g = chr(92);
        $op = str_replace($g , "", $_GET['op']);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
        $adr='./modules/user/'.$op.'.php' ;
      include($adr);
      }
    }

---

To this:

Code:

---

function modules(){
      if(isset($_GET['op'])){
        $op = $_GET['op'];
                $g = chr(92);
        $op = str_replace($g , "", $op);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
      if (is_file("modules/".$op.".php")) {
                  include("modules/".$op.".php");
       
      } else {       
                require("config.php");
                Echo ("<br>$warning_start Module $op Could Not Be Found By MuWeb! $warning_end<br>");
      }
  }
}

function user_modules(){
      if($_GET['option']) {
        $op=$_GET['option'] ;
                $g = chr(92);
        $op = str_replace($g , "", $op);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
        $adr='./modules/user/'.$op.'.php' ;
      include($adr);
      }
    }

---

Quote:

---

Originally Posted by baitzashul

true,true,true ......

Its damn true.... in my dabase was delete .. those tables :

1.Character
2.Memb_info

Without those the server its down.....


I whant help with this injections.... (If some one know more about PHP)

---

They inject using your lostpassword and email through the registration if you remove those access points muweb 0.8 is fairly secure if you have an idea on how to read logs and check which modules are being used, my suggestion is continue using 0.8 but, do some reading up when it comes to infiltratition to your server.

Web vulnerability sql inject...

I have problems in administrator.php
Some hackers can edit account and chars :o((