Hey, ive just heard of huge hotels wich randomly got hacked, and defaced all together, they say this is an exploit in RevCMS, anny1 had this on his/her hotel?
[RevCMS] Unsafe?? Is it?
Hey, ive just heard of huge hotels wich randomly got hacked, and defaced all together, they say this is an exploit in RevCMS, anny1 had this on his/her hotel?
I don't think its unsafe, My guess is it's more the way and methods they used to code there themes or housekeeping.
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:public function getRealIpAddress() {
if (!filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP)) {
return false;
}
return mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
}
Thanks to Marjolein
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro
So take care about your code and enable your logs
The fist thing is true and not true.Originally Posted by Ryan
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro
So take care about your code and enable your logs
Remote addr is just the ip that the seever recieves so you cant edit that...
But liks you said the HTTP_ headers can be edited and can contain a exploit
And its so true about the parameters that are the most exploits clientsids by the most emulors/mysqli websites
You're totally right, this happened to me too.Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro
So take care about your code and enable your logs
Thanks for the fix.
So if I read it good, you have to put the code "public function etc etc" in your core? Does it have a special place or doesn't it matter where you put it?Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro
So take care about your code and enable your logs
And 1 more thing bro, I don't understand this "Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress." Can you give me a example?
how can you do this in revcms and where?
This is not a help section, sir.
Little tip: The place doesn't matter if you put it in the right global.php, core.php, class.core.php(?) one of them. And you can use it like UPDATE `users` SET `ip_last` = '".getRealIpaddress."' instead of ip_last = '".$_SERVER['HTTP_CF_CONNECTING_IP']."'
Last question, how to do it with a code like this : return mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
You dont neee to filter remote addr because that is serverside. You only need tp filter the HTTP_ headers like the one from cloudflare HTTP_CF etc.
Next time ask your question in the help section.
Gr spot ify
Its a bit unclear, do you mean the one from cloudflare is safe or needs to be filtered?
The one of cloudflare needs to be filtered because you can send the same header with your browser.
And remote addr is just the TCP connection that the php gets from you and thats impossible to change it to a exploit.
@Under me jup thats safe
Last edited by Spot Ify; 04-07-14 at 11:12 AM.
Oh, the REMOTE_ADDR also just works for me with cloudflare, so that is safe then?
Reply With Quote![[RevCMS] Unsafe?? Is it?](http://ragezone.com/hyper728.png)
