Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Subway
Then share it stop looking for a Epenis^
@maxwell -.- it's only a HK I didn't really have to give you credits.
How is that trying to get a Epenis?
And if people wanted to use the CMS, they could just change the password encryption. --> Need help with that, email me the CMS you're using and I'll give you a fix :] :rolleyes:
Btw, you can Inject the news comments in the articles, and there's a exploit in the article.php file :glare:
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Your credits are on housekeeping page though :sleep:
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
There's an exploit in the badge shop, you'll need to escape all the $_GET's, I coded it when I was much more novice, around 6 months or so ago (maybe?)
Tag exploit? thanks! (i had tags removed due to a glitch anyway but this is helpful to know)
Register exploit in the cms? I don't think it was in there when I released it, i'm almost certain it wasn't :s
There's also an exploit in news comments, strip the tags to stop it from happening.
Db changing via my mistakes haha sorry, I coded the CMS for Zap when I did it and didn't really do anything as it should have been done, I was still learning when I edited the cms and i'm sad to say that I did the register changes, some housekeeping changes and the badge shop when I was crap =P
Good release :thumbup:
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Jonteh
There's an exploit in the badge shop, you'll need to escape all the $_GET's, I coded it when I was much more novice, around 6 months or so ago (maybe?)
Tag exploit? thanks! (i had tags removed due to a glitch anyway but this is helpful to know)
Register exploit in the cms? I don't think it was in there when I released it, i'm almost certain it wasn't :s
There's also an exploit in news comments, strip the tags to stop it from happening.
Db changing via my mistakes haha sorry, I coded the CMS for Zap when I did it and didn't really do anything as it should have been done, I was still learning when I edited the cms and i'm sad to say that I did the register changes, some housekeeping changes and the badge shop when I was crap =P
Good release :thumbup:
There was/is no exploit in the register, so don't listen. I done an exploit check in normal UberCMS and exploit check in rCMS's Register and rCMS was secured already.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Nice, thanks for releasing this!
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
MyKi
There was/is no exploit in the register, so don't listen. I done an exploit check in normal UberCMS and exploit check in rCMS's Register and rCMS was secured already.
There was an exploit in the register, bean_avatarName & checkNameOnly ;)
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Jonteh
There was an exploit in the register, bean_avatarName & checkNameOnly ;)
They were no exploits. This:
PHP Code:
if ($users->IsNameTaken($name))
{
echo '<div class="taken"><p>Sorry, the name <strong>' . clean($name) . '</strong> is taken!</p></div>';
}
else if ($users->IsNameBlocked($name))
{
echo '<div class="taken"><p>Sorry, that name is reserved or disallowed.</p></div>';
}
else if (!$users->IsValidName($name))
{
echo '<div class="taken"><p>Sorry, that name is invalid. Your name can contain lowercase, uppercase letters, and numbers.</p></div>';
}
Was in wrong order, IsValidName should have been first and that removes all chance of SQL exploit possibility.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Hejula
They were no exploits. This:
PHP Code:
if ($users->IsNameTaken($name))
{
echo '<div class="taken"><p>Sorry, the name <strong>' . clean($name) . '</strong> is taken!</p></div>';
}
else if ($users->IsNameBlocked($name))
{
echo '<div class="taken"><p>Sorry, that name is reserved or disallowed.</p></div>';
}
else if (!$users->IsValidName($name))
{
echo '<div class="taken"><p>Sorry, that name is invalid. Your name can contain lowercase, uppercase letters, and numbers.</p></div>';
}
Was in wrong order, IsValidName should have been first and that removes all chance of SQL exploit possibility.
Oh. I escaped it and it did the same thing lol.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
MyKi
How is that trying to get a Epenis?
And if people wanted to use the CMS, they could just change the password encryption. --> Need help with that, email me the CMS you're using and I'll give you a fix :] :rolleyes:
Btw, you can Inject the news comments in the articles, and there's a exploit in the article.php file :glare:
@Myki - Just download the fix and pm me the fix link, and I forgot about articles, was going to removed that new's comment shit but totally forgot XD. Thanks!
@Jonteh - Mhm you forgot to filter
PHP Code:
$name = Filter($_POST['bean_avatarName']);
And i'll work on fixing them in badge shop :drool: thanks!
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Subway
@Myki - Just download the fix and pm me the fix link, and I forgot about articles, was going to removed that new's comment shit but totally forgot XD. Thanks!
@Jonteh - Mhm you forgot to filter
PHP Code:
$name = Filter($_POST['bean_avatarName']);
And i'll work on fixing them in badge shop :drool: thanks!
filter is lowecase f, i always assume things are case sensitive
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Quote:
Originally Posted by
Subway
@Myki - Just download the fix and pm me the fix link, and I forgot about articles, was going to removed that new's comment shit but totally forgot XD. Thanks!
@Jonteh - Mhm you forgot to filter
PHP Code:
$name = Filter($_POST['bean_avatarName']);
And i'll work on fixing them in badge shop :drool: thanks!
Filter doesn't stop SQL Injection, mysql_real_escape_string is a much better method to use.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Lol really ? Weird :rolleyes::D:
Quote:
Originally Posted by
ησвяαιη
Filter doesn't stop SQL Injection, mysql_real_escape_string is a much better method to use.
I'm using this method on Badgeshop as we speak
I'm going to release a more updated version soon.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
This is looking pretty decent, good luck.
Just reading through this thread I've learnt a lot about securing my code, I'm still in the basics of PHP.
Re: uberCMS/rCMS [PHP,OOP] Fixed Updated [Phoenix]
Me 2 Iv'e learnt a lot along the way & Thanks !:w00t:
