PhoenixPHP exploit fix!

[NoBrain]

I hate PhoenixPHP but I like PHP and fixing exploits so here goes...

1. Open index.php
2. Search for: elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
3. Replace the lines of under it with this;

PHP Code:

                if(isset($_GET["user"]))
                {
                    $query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeString($_GET["user"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                }
                elseif(isset($_GET["ip"]))
                {
                    $query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeString($_GET["ip"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                } 


[MentaL]

[wy479]

What exploit is this and without it what can the exploit do?

[NoBrain]

What exploit is this and without it what can the exploit do?

I'm not sure what it can do, I just added $core->EscapeString before $_GET['ip'];

[leenster]

This fix prevents SQL injection......

[NoBrain]

This fix prevents SQL injection......

This. :P

[Jam32]

This fixes the most commonly known sql injection exploit, which can be exploited with the software "Havij".

[Subway]

nice fix once again
Posted via Mobile Device

[Hebbos]

Thanks

[wy479]

Awesome

[CobraSnip]

Thnaks this will be added right away and your register fix

[andreas1234]

I tried on 2 of index nothing beacuse i got many fails on my retro home

[Papercup]

Thank You so much, This is so commonly used.

http://Site/index.php?error=ban&user=%Inject_here%

Thats the fix for it!

[DoctorCooper]

Thanks for this.

[Wupz0r]

Nice.

Lesson: Never use raw commands.

[Papercup]

I added this, As soon as you go on site it says you are banned but you can sign in :S, I dont think its worth it. Anyone got a fix?

[Wupz0r]

I added this, As soon as you go on site it says you are banned but you can sign in :S, I dont think its worth it. Anyone got a fix?

PM, some of our PHP coders?

[NoBrain]

I added this, As soon as you go on site it says you are banned but you can sign in :S, I dont think its worth it. Anyone got a fix?

Wtf? It works perfectly, had no complaints apart from you... I don't see why it wouldn't work, try a fresh download of the CMS?

[azaidi]

Works great?

---------- Post added at 05:04 PM ---------- Previous post was at 05:03 PM ----------

Anyone know other things I can fix in PhoenixPHP? I'm going to release my PhoenixPHP Edit 1.0 over some time.

[NoBrain]

Works great?

---------- Post added at 05:04 PM ---------- Previous post was at 05:03 PM ----------

Anyone know other things I can fix in PhoenixPHP? I'm going to release my PhoenixPHP Edit 1.0 over some time.

You using my fixes in that? If so, credits...

[azaidi]

K i have putted credits in the index.php for you?

[Wupz0r]

If this doesnt work, you fail. Easy to add and it WORKS, no doubt.

[Danny]

Nice it works, Just because people don't know how to do it don't mean it dont work.

[Wupz0r]

Nice it works, Just because people don't know how to do it don't mean it dont work.

That's why n00bs are Lazy.