UberCMS Potential SQL exploit patch (housekeeping)

Quote:

---

Originally Posted by skunken1

Pm me too :)

---

What's the point in him PM'ing you anything about the exploits when you probably know nothing on the topic.

Quote:

---

Originally Posted by jamieturner

and me please, cheers.

---

Who are you asking? And to what ? (if me)

Quote:

---

Originally Posted by Matthew

Who are you asking? And to what ? (if me)

---

He ask if you'll add him xD

Btw, I think its useless to filter the password post.

Because:
The server get as response `' or '' = ''` (For example)

If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

That's never a exploit? isn't?

Quote:

---

Originally Posted by joopie

He ask if you'll add him xD

Btw, I think its useless to filter the password post.

Because:
The server get as response `' or '' = ''` (For example)

If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

That's never a exploit? isn't?

---

Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)

Quote:

---

Originally Posted by Matthew

Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)

---

Uhm, Maby true :P, But I don't think it can xD

Btw, Change it also for the `index.php` i thought that one was also unfiltered:ott1:

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

Quote:

---

Originally Posted by RastaLulz

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

---

Thank you for repeating me?

Quote:

---

Originally Posted by joopie

Thank you for repeating me?

---

Repeating you? I simply looked at the thread, and responded.

Also, thanks for repeating Kryptos.

Quote:

---

Originally Posted by joopie

Thank you for repeating me?

---

You can't say that because you repeated what Kryptos said ;D

Quote:

---

Originally Posted by Hejula

You can't say that because you repeated what Kryptos said ;D

---

A, Yes, xD, I saw it wen RastaLulz posts his reaction xD, I always read the first post and the last few posts :P

Quote:

---

Originally Posted by Matthew

Yeah. It's quite sad. Everyone is using shitty Phoenix CMS now.

---

Wrong, Habrockz and Luxo Hotel both use uberCMS but heavily modified.

hobbs hotel use ubercms {A}

I also use an uberCMS edit. However i've had my cms fully secured for a while now. That won't be an exploit in a password field cause it's hashed and it's not counted as real input? I'm not sure how it's processed.

Thanks though.

Jontycat

Quote:

---

Originally Posted by RastaLulz

This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

/facepalm

---

'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

Quote:

---

Originally Posted by Matthew

'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

---

Calm down, I wasn't being aggressive I was simply stating. If you read my posts it's pretty much sounding like I was trying to explain it to myself while asking a question to those around us who are better. You're being a tool, not me.

Also, haven't you been going around acting like you're an amazing programmer, posting on developments like you know something, but now, you're calling yourself a novice? Steep drop. Professional to novice.

Not having a go at you - good release, thanks for sharing it with the community as the retro community is dying, so we all need to start contributing or shit's gonna go down, fast.

Thanks & good luck with future learning.

Jonty, it wasn't aimed at you. I never claimed to be a professional. I could probably write a hole CMS if I really wanted to. I have an understanding of most things. But I couldn't write forum software like.. vBulletin. So, I'm kind of inbetween. I didn't know what to name my self so I thought novice might be the best one. Considering It's only been a few months, ya know? Or maybe a better word would be like.. 'standard'? I'm not sure now to measure coding knowledge.