RevCMS important exploit fix!

[ImNotSatan]

Hey, this is verry strange but in some way people managed to be able to exploit with $_SERVER['REMOTE_ADDR'];

So you should put mysql_real_escape_string($_SERVER['REMOTE_ADDR']);

at all queries!!!!!!!

Huge hotel's has been hacked by this!

[MentaL]

[Hejula]

Not possible. The exploit is coming from somewhere else.

[DutchenL]

I am also hacked I use revcms + phoenix emu

Someone manages to fix all the account he wants, what is the issue? revcms? phoenix emu?

- - - Updated - - -

Not possible. The exploit is coming from somewhere else.

Do you know where?

[Jamal7]

Already fixed this exploit ;)

Pretty hard to find.

[DutchenL]

Already fixed this exploit ;)

Pretty hard to find.

Share it with the community.

[Sledmore]

Someone had tried this on Habboon, they're most likely spoof the HTTP_CF_CONNECTING_IP. You make a check to see if the HTTP_CF_CONNECTING_IP is set, then run the filter_var function w/ FILTER_VALIDATE_IP and kill the page if needed.

Though when they did this they had no success in achieving anything, but its still worth adding such a check.

[DutchenL]

Someone had tried this on Habboon, they're most likely spoof the HTTP_CF_CONNECTING_IP. You make a check to see if the HTTP_CF_CONNECTING_IP is set, then run the filter_var function w/ FILTER_VALIDATE_IP and kill the page if needed.

Though when they did this they had no success in achieving anything, but its still worth adding such a check.

Where exactly in revcms?

[Eronisch]

As far i know, you can't just set some random text into the remote_addr variable.

Source: http://stackoverflow.com/questions/4...verremote-addr

I did stumble on this though: http://blog.ircmaxell.com/2012/11/an...-i-hacked.html
(Very interesting blog, he explains how he got acces to the admin section on stackoverflow)

[Livon]

There is a hack where you can make everyone staff i dont know how but its an exploit in almost all noob cms

[DutchenL]

There is a hack where you can make everyone staff i dont know how but its an exploit in almost all noob cms

Yes there is. But it's strange that nobody knows the fix.

[MrSpooks]

There is a hack where you can make everyone staff i dont know how but its an exploit in almost all noob cms

That is an exploit in the ASE that people use, there is also another exploit in the ASE that will allow you to clear a full database, So i would not recommend using any of the ASE released spechaly PulseAse and grapeASE is the other, But many renames of them are out there.

But this really seems to be a strange exploit if it even is an exploit.

[DutchenL]

Someone had tried this on Habboon, they're most likely spoof the HTTP_CF_CONNECTING_IP. You make a check to see if the HTTP_CF_CONNECTING_IP is set, then run the filter_var function w/ FILTER_VALIDATE_IP and kill the page if needed.

Though when they did this they had no success in achieving anything, but its still worth adding such a check.

Can someone make a tutorial how to do this in RevCMS?

[Livon]

I asked the guy that made everyone staff in like 5 retros he said something about 'value=rank'01 IDK Dont remember.. Any1 that can realese how to do it?

[ImNotSatan]

Already fixed this exploit ;)

Pretty hard to find.

How about share it.. '-,-

- - - Updated - - -

I asked the guy that made everyone staff in like 5 retros he said something about 'value=rank'01 IDK Dont remember.. Any1 that can realese how to do it?

Wow... are you litterly asking us on how to hack people.. sick man... sick...

[PSK]

if($_GET['url'] == 'news' || $_GET['url'] == 'articles')
{
$template->form->getPageNews();
}
}

}

final public function setParams($key, $value)
{
$this->params[$key] .= $value;
}

final public function filterParams($str)
{
foreach($this->params as $key => $value)
{
$str = str_ireplace('{' . $key . '}', $value, $str);

Is the exploit says the hacker on my hotel himself, not got a clue how it is either lol