Illumina CMS [PHP, OOP, MySQLi, Uber 3]

[Dan822]

Great release??

Also: how can I disable/fix this?

 

[Matata]

Great release??

Also: how can I disable/fix this?

Never had this problem, but I'm very sure that it can be fixed in your external variables.

 

[eckostylez]

Err well you can patch it manually of course, I just went through all the php files and wherever there was a 302 redirect (header('Location: <x>') I just added "exit;" after it. That stops the page from carrying on if you disable redirects.

There are other exploits beside the ones you have shown in this thread

 

[Delici0us]

There are other exploits beside the ones you have shown in this thread

Nobody is surprised. It’s become tradition to expect this of Jonty – His releases just wouldn’t be the same without his trademark exploits!

 

[PRIZM]

There are other exploits beside the ones you have shown in this thread

Yes, and why aren't you showing it to us?

 

[Delici0us]

Yes, and why aren't you showing it to us?

Because that is the problem with this community! You all expect to be spoon-fed. If you checked the source yourself I am sure you will find it in a breeze.

 

[eckostylez]

Yes, and why aren't you showing it to us?

I didn't realize it was my job to show you something so obvious to anyone who looked at the source. There's an XSS exploit on the user profiles. Take a look at Jonteh's profile on his hotel and you will see it (until it is removed).

There are a few others, but I'm not going to spoon feed people who should know how to spot these themselves if they intend on using it.

 

[Hejula]

eckostylez is right, there is too much being given it is probably about time that hotel owners start learning these skills themselves.

 

[NoBrain]

I didn't realize it was my job to show you something so obvious to anyone who looked at the source. There's an XSS exploit on the user profiles. Take a look at Jonteh's profile on his hotel and you will see it (until it is removed).

There are a few others, but I'm not going to spoon feed people who should know how to spot these themselves if they intend on using it.

And that's why I don't like Jonty. He puts exploits in everything lol.

 

[eckostylez]

And that's why I don't like Jonty. He puts exploits in everything lol.

I don't know if it's intentional. From what I've seen he is an inefficient coder, and if I wanted to, I could have done a lot worse things to his hotel.

 

[Matata]

I'm actually shocked about the amount of exploits.
I knew that there were a XSS in the motto on userprofile and community and I also knew that the isAllowed function was unsecure.
But I would've NEVER thought that anything as simple as NoRedirct would bypass every single login on the site.

And I'm the happy owner of Illumina CMS on my hotel! Hopefully, there's no more exploits. Glad no one didn't abuse the NoRedirct one on my hotel.

 

[Delici0us]

I'm actually shocked about the amount of exploits.
I knew that there were a XSS in the motto on userprofile and community and I also knew that the isAllowed function was unsecure.
But I would've NEVER thought that anything as simple as NoRedirct would bypass every single login on the site.

And I'm the happy owner of Illumina CMS on my hotel! Hopefully, there's no more exploits. Glad no one didn't abuse the NoRedirct one on my hotel.

Can you not actually see all of the hints being given in this thread alone? Get rid of this CMS from your hotel if you want to actually run something that is safe and not full of exploits.

And that's why I don't like Jonty. He puts exploits in everything lol.

Doubt it’s intentional on his behalf. He’s not retarded enough to leave pre-built backdoors in his own personal copy.

 

[Hejula]

Doubt it’s intentional on his behalf. He’s not retarded enough to leave backdoors in his own personal copy.

Well... Knowing Jonty I wouldn't be surprised!! Hahahaha

 

[Delici0us]

Well... Knowing Jonty I wouldn't be surprised!! Hahahaha

Shockingly I would have to agree.

 

[Matata]

Can you not actually see all of the hints being given in this thread alone? Get rid of this CMS from your hotel if you want to actually run something that is safe and not full of exploits.

If had the CMS way before this thread was made and I found the exploits myself and fixed them (except the NoRedirect). As a new member of RageZone and new into the retro developing scene, I didn't know which CMS I should choose. But after I fixed it up, I'm happy with it and I have no plans on changing at the moment.

 

[eckostylez]

If had the CMS way before this thread was made and I found the exploits myself and fixed them (except the NoRedirect). As a new member of RageZone and new into the retro developing scene, I didn't know which CMS I should choose. But after I fixed it up, I'm happy with it and I have no plans on changing at the moment.

Mind sharing a link to it live to test and see if you patched all the exploits?

 

[Clawed]

Just fixed a load of exploits, let me know if i missed any and i will fix it for you.

You must be registered to see links

 

[eckostylez]

Just fixed a load of exploits, let me know if i missed any and i will fix it for you.

You must be registered to see links

You missed the XSS vulnerability that is on the user profiles page

 

[Matata]

Mind sharing a link to it live to test and see if you patched all the exploits?

You must be registered to see links

 

[Clawed]

You missed the XSS vulnerability that is on the user profiles page

Where, i don't see it.