UberCMS Potential SQL exploit patch (housekeeping)

Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 40
  1. #16
    No, Just no. Matthew is offline
    MemberRank
    Jul 2008 Join Date
    United KingdomLocation
    1,408Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by skunken1 View Post
    Pm me too :)
    What's the point in him PM'ing you anything about the exploits when you probably know nothing on the topic.

    Quote Originally Posted by jamieturner View Post
    and me please, cheers.
    Who are you asking? And to what ? (if me)

  2. #17
    Live Ocottish Sverlord Joopie is offline
    LegendRank
    Jun 2010 Join Date
    The NetherlandsLocation
    2,773Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by Matthew View Post
    Who are you asking? And to what ? (if me)
    He ask if you'll add him xD

    Btw, I think its useless to filter the password post.

    Because:
    The server get as response `' or '' = ''` (For example)

    If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

    That's never a exploit? isn't?

  3. #18
    No, Just no. Matthew is offline
    MemberRank
    Jul 2008 Join Date
    United KingdomLocation
    1,408Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by joopie View Post
    He ask if you'll add him xD

    Btw, I think its useless to filter the password post.

    Because:
    The server get as response `' or '' = ''` (For example)

    If you make a hash of it, you'll get something like: 08c0b7826294f319bdf2abf11b7af0fc

    That's never a exploit? isn't?
    Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)

  4. #19
    Live Ocottish Sverlord Joopie is offline
    LegendRank
    Jun 2010 Join Date
    The NetherlandsLocation
    2,773Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by Matthew View Post
    Yeah I was thinking the same too but as said before I said potential for a reason. There *might* be a way of getting around the hash and executing a rogue query. We simply do not know. But it's better to be safe than sorry right? Like. If filtering is not going to change anything you may as well do it ? :)
    Uhm, Maby true :P, But I don't think it can xD

    Btw, Change it also for the `index.php` i thought that one was also unfiltered

  5. #20
    Gamma RastaLulz is offline
    MemberRank
    Dec 2007 Join Date
    EarthLocation
    3,328Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

    /facepalm

  6. #21
    Live Ocottish Sverlord Joopie is offline
    LegendRank
    Jun 2010 Join Date
    The NetherlandsLocation
    2,773Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by RastaLulz View Post
    This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

    /facepalm
    Thank you for repeating me?

  7. #22
    Gamma RastaLulz is offline
    MemberRank
    Dec 2007 Join Date
    EarthLocation
    3,328Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by joopie View Post
    Thank you for repeating me?
    Repeating you? I simply looked at the thread, and responded.

    Also, thanks for repeating Kryptos.

  8. #23
    The one and only! Hejula is offline
    MemberRank
    Nov 2008 Join Date
    4,128Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by joopie View Post
    Thank you for repeating me?
    You can't say that because you repeated what Kryptos said ;D

  9. #24
    Live Ocottish Sverlord Joopie is offline
    LegendRank
    Jun 2010 Join Date
    The NetherlandsLocation
    2,773Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by Hejula View Post
    You can't say that because you repeated what Kryptos said ;D
    A, Yes, xD, I saw it wen RastaLulz posts his reaction xD, I always read the first post and the last few posts :P

  10. #25
    hi i'm robbie Roper is offline
    MemberRank
    Oct 2008 Join Date
    /home/roperLocation
    2,283Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by Matthew View Post
    Yeah. It's quite sad. Everyone is using shitty Phoenix CMS now.
    Wrong, Habrockz and Luxo Hotel both use uberCMS but heavily modified.

  11. #26
    What about no. Davidaap is offline
    MemberRank
    Nov 2009 Join Date
    773Posts
    hobbs hotel use ubercms {A}

  12. #27
    :joy: Jonteh is offline
    MemberRank
    Apr 2007 Join Date
    New York, USALocation
    3,375Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    I also use an uberCMS edit. However i've had my cms fully secured for a while now. That won't be an exploit in a password field cause it's hashed and it's not counted as real input? I'm not sure how it's processed.

    Thanks though.

    Jontycat

  13. #28
    No, Just no. Matthew is offline
    MemberRank
    Jul 2008 Join Date
    United KingdomLocation
    1,408Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by RastaLulz View Post
    This is not exploitable, as the value returned is a hash, and nothing more. You can not inject anything within the query as the value returned by uberHash will only be letters and numbers.

    /facepalm
    'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

    So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

    Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

    So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post

  14. #29
    :joy: Jonteh is offline
    MemberRank
    Apr 2007 Join Date
    New York, USALocation
    3,375Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Quote Originally Posted by Matthew View Post
    'k. You're 3 posts late. This has been said already. Understand I'm a novice programmer (I've only being doing this a few months and im learning still) and that I'm not stupid. The mark 'Potential' in the title means I'm not sure if it is. I released something which *could* have been very beneficial to the community. Some one else could've found this out before me and gone around exploiting hotels have this not been a hash.

    So, whilst the release its self as not useful. The thought of releasing a fix to release a *maybe* exploit is, imho.

    Also, you was once like me in terms of knowledge of programming so ending your post with "/facepalm" is hypercritical of you as you once make mistakes and didn't take things into account your self.

    So shut the fuck up, all of you. I'm now aware and I was after Kyrptos' post
    Calm down, I wasn't being aggressive I was simply stating. If you read my posts it's pretty much sounding like I was trying to explain it to myself while asking a question to those around us who are better. You're being a tool, not me.

    Also, haven't you been going around acting like you're an amazing programmer, posting on developments like you know something, but now, you're calling yourself a novice? Steep drop. Professional to novice.

    Not having a go at you - good release, thanks for sharing it with the community as the retro community is dying, so we all need to start contributing or shit's gonna go down, fast.

    Thanks & good luck with future learning.

  15. #30
    No, Just no. Matthew is offline
    MemberRank
    Jul 2008 Join Date
    United KingdomLocation
    1,408Posts

    Re: UberCMS Potential SQL exploit patch (housekeeping)

    Jonty, it wasn't aimed at you. I never claimed to be a professional. I could probably write a hole CMS if I really wanted to. I have an understanding of most things. But I couldn't write forum software like.. vBulletin. So, I'm kind of inbetween. I didn't know what to name my self so I thought novice might be the best one. Considering It's only been a few months, ya know? Or maybe a better word would be like.. 'standard'? I'm not sure now to measure coding knowledge.
    Last edited by Matthew; 18-07-11 at 07:08 AM.



Page 2 of 3 FirstFirst 123 LastLast

Advertisement