[Website] AltairCMS! | Updated with steps to add new page

[namek303]

Out of all the flaws on AltairCMS that i've been fixing. I recommend you fix the "GET" variable issue.

Because if the "GET" info is not a number then do a check and make it do something else. for example if the "Get" variable is not a number or is INVALID make it by default equal 1. (doing this will fix the problem)

Here is an example. replace your link for your AltairCMS page with this.

Code:

http://(YOUR WEBSITE FOR ALTAIR CMS HERE)/?page=index&id=<script>alert('hacked by namek303')</script>

this security flaw will allow a user to actually make a cookie stealer. and all he needs to do is make a admin visit a page with the cookie stealer hidden on it. and boom he has the admin's cookies. and he replaces the Admin cookies with his and now hes a admin on the site. lots of damage that can be done for people that really customized it.

the damage that he can do includes, making a notice or announcement that causes harm. (embedding the cookie grabber in an announcement, testing for sql injection using the announcement, making a redirect to another site from announcement, defacing the site from announcement, making comments from announcements that are inappropriate to name a few options)

I really like this CMS and been working alot with it. Let me know how that works out or if u cant figure out how to fix it for you. (by fixing this you eliminate the biggest security flaw on the site)

[zoopie]

ok i followed all the steps and rename install to install.lock and i go to localhost and the page says
Oops!This link appears to be broken
URL: localhost/install/install.php

[AuroX]

Once you've renamed it, go to http://localhost/index.php

[okfolife123]

i do and it redirects me to localhost/install/install.php

[linkdamasta]

Yep. Epic fail. Even after you follow the instructions it tries to take you to install.php, and since you renamed it it just returns a 404 message.

Edit:
I named it install.lock, but it kept the PHP extension. Might want to clarify that you need to make sure to remove the extension.

[AuroX]

It must be a lock extension. If it is a php extension, then delete it > Open notepad> leave it blank > File>Save As > name ="install.lock" > File type: all files. put it into your install folder and you're done. I noticed his thing as vista and windows 7 won't change the extension for you when you edit it.

[okfolife123]

Thnx and one more thing i cant find out how to add notice is the admin page or do i do it from Database. if database which table. if admin page what url. ty

[AuroX]

Go to accounts table in SQL, find the desired account u want and set the admin column to 1. Then login at the control panel and you'll be redirected into the admin page.

[noviceboy55]

Can someone give me an example of how to add the GAMEUP, NOTICE, END, PRIZE, INFO images in the news/events section in front of a line of text?

Sry if this bumped a 2 weeks old tread :P

@Yenpooh : maybe u can add a few lines in the cms event.php with image enabled such that people knows how to add it o:

[joellol]

When i do the .lock thing i end up if i go to the localhost directory i get redirected to localhost/install/install.php and then links me to google to search something

[Sanctuality]

Yeah this is not working at all this = fail

[AuroX]

I've posted 2~3 post regarding the .lock stuffs, its not my problem, its your windows that doesn't change the extension. So you'll have to manually create a lock file.

[Hubba]

Added to library..

[vgun999]

I have seen some of the computers which when you edit install.php to install.lock, it will still remains as install.lock.php

To fix that I suggest you to open notepad, Leave it blank and Save as "install.lock" and the Save as type select"All files" and put the install.lock into your install folder.

thank you that helped me :D

[Expedia]

Added to library..

No one cares. There's a reason why it's locked up, but I guess Hubba-people are too stupid to realize it.