Me Leaving + My UberCMS Edit

[zMagenta]

Also my old names were - xWiiNdOwS, </Loophole>. You may remember them names.

Hello RaGEZONE, this will be my last post on here.. For quite a while. I'm leaving for a number of reasons to do with vengence with members RaGEZONE. I'd thought, as I'm not carrying on with this project, I'd give you my UberCMS edit. It's not shit, and I've tried to patch all the exploits to my knowledge. But please, run the SQL inside the root directory for it to run the latest Phoenix EMU. This was produced by Meth0d, other coders/developers of the community and a small chunk by me.. I'll leave some screenies at the bottom for you, but hope you enjoy this.

I would like to say some personal thank-you's to some people on RaGEZONE, for something they have done for me out of their own genoraosity, so I'll write some people below this paragraph.

Nesar - Although we haven't been "best buddies", you have helped me alot, whether you knew it or not. You've helped me with some threads which had the same problem, and you fixed it. So thanks mate.

D0WNF4LL - Hey mate, I would just like to say a huge thanks to you for teaching me the basic of catalogue skills. I wish you luck with rest of your catalogue seris, but thanks for everything you did for me. Thanks mate.

(B)asic - Hey dude, one thing before I talk about you, good luck on your PS3 Modding application. But I would like to say thanks to you, for being a great friend. Although we haven't known each other for very long, you've been a great friend to me. Thanks for showing some stuff in the PS3 Modding section, been a great help to me and my Ps3. Thanks mate.

< Nominal / > - Well, what can I say about you. Except you've been one of the best friends I've had on here, taught me loads about retros, and just been a help to me all round. You've helped me with some retro errors I had, tried to portforward for me at my early stages of making retros. I wish you the best Jakoline, wish to keep in contact with you on MSN. Thanks again mate.

JohnHeartfield - Excuse my mistakes if I spelt your name wrong, but there's one special thank you I want to make to you. You've been a great help on the small amount of customs I made, correcting my silly little mistakes on the SQL's, without you, half my SQL's wouldn't work, so I thank you for that mate. I wish to stay in contact with me, if you don't have me on msn, it's located at the bottom of my thread. Thanks again.

Raix - Mate, thanks for showing me the first steps of making customs and about SWF decomp's and where to get free ones ect. I wish you the best with your custom making skills. Hope you release more great customs!

Late3 - Wow, what a friend you've been. You got me started on making my first ever retro. You've been a great help to me on msn giving me all them codes, with you, I wouldn't have a clue about retros. So I wish you stay in retros, and good luck with whatever you do next!

MentaL - Well, I would just like to say thank you for the forum and making my experiance here great! I wish you the best with RaGEZONE, and I hope RZ Get's bigger.

Well, thank-you's over, here's the CMS.

http://www.mediafire.com/?aklzql2pee7r0l1

In the CMS, I've removed most/all of the exploits. It's the same format as the normal Uber. Here's the thread of my hotel below (With Screenies); http://forum.ragezone.com/f334/ad-ha...63-vps-796084/

Thanks RaGEZONE,

Good bye and Love you all.

MSN - Steve_Retros@hotmail.co.uk

IF YOUR GOING TO RE-RELEASE THIS, MAKE SURE 20% CREDITS GO TO MYSELF AND THE REST FOR METH0D OR YOURSELF IF YOU DID ANYTHING TO IT. DO NOT RE-RELEASE AND CLAIM AS YOUR OWN.

ASWELL AS THAT, KEEP THE FOOTER WITH MY COPYRIGHT! IF I SEE ONE MORE HOTEL WITHOUT MY COPYRIGHT, DOWNLOAD IS BEING PULLED DOWN - ADD ANYTHING ELSE THOUGH.

[MentaL]

[Riizq]

Gonna miss you. Hope to see you soon.


I know the first time you helped me.

[zMagenta]

Gonna miss you =( I know the first time you helped me.

Going to miss you to, but 'ya know, RaGEZONE isn't my lfe.

[Spheral]

Its okay if you spelt wrong, i do that with it sometimes :)
Sorry to see you leave mate, will stay in contact with you. Youve been a really good friend to me while you were here, thankyou for everything aswell.

[Merijn]

Ah, ciao. Goodluck in the future.

Also a nice release.

[Akimbo]

Ohai, goodluck my friend! I haven't seen soo much of you really xD But ye, nice release!

[Law]

Dumb that you are leaving, but ontopic: please screens and features you have added?

[VerbOtaku]

Cya jamie mate, will miss you :) Stay in touch yea!

[nickymonsma]

Fucking Nice

[justhin11]

Yo you don't really know me but i want to say thanks for all you dit for us i wish you a healthy live in the future.

[Livar]

This is the bomb! Thank-you "Steve/Jamie";

<3 Ima add you on MSN aswell.

[Retro!]

Hope you comeback <3

You were a big part in this section

[Pookie]

Goodbye.

[Danny]

We never really meet but thanks for the time you spent on this forum. Also thanks for your Uber edit.

[Matthew]

This is NOT safe to use. There are still several ways to do a SQL exploit even in the register (register.php).

PHP Code:

$name = $_POST['bean_avatarName']; 


Unfiltered post. You can inject anything here and extract anything you wish from the users table as no illegal characters are escaped.

Fix (VERY simple stuff):

PHP Code:

$name = filter($_POST['bean_avatarName']); 


Same problem here, but I've seen you've tried to escape illegal characters using htmlspecialchars() which only escapes HTML characters. htmlspecialchars() will NOT stop a sql injection or escape things like ',x00 ect..

PHP Code:

        $name = htmlspecialchars($_POST['bean_avatarName']);
        $password = htmlspecialchars($_POST['bean_password']);
        $password2 = htmlspecialchars($_POST['bean_retypedPassword']);
        $email = htmlspecialchars($_POST['bean_email']);
        $dob_day = htmlspecialchars($_POST['bean_day']);
        $dob_month = htmlspecialchars($_POST['bean_month']);
        $dob_year = htmlspecialchars($_POST['bean_year']); 


There's no use in trying to escape html characters. So we'll escape illegal MySQL characters instead:

PHP Code:

        $name = filter($_POST['bean_avatarName']);
        $password = filter($_POST['bean_password']);
        $password2 = filter($_POST['bean_retypedPassword']);
        $email = filter($_POST['bean_email']);
        $dob_day = filter($_POST['bean_day']);
        $dob_month = filter($_POST['bean_month']);
        $dob_year = filter($_POST['bean_year']); 


So this should work now, and the register page should be secure, as we've escaped any possible bad characters. A proper and real solution would be preparing a query in MySQLi and seeing the POST values as strings. But only a few people will know what I'm on about..

Anywho, I wouldn't advise using the CMS as it looks like the OP doesn't know much about MySQL injections.