Re: [RevCMS] Unsafe?? Is it?
I don't think its unsafe, My guess is it's more the way and methods they used to code there themes or housekeeping.
Re: [RevCMS] Unsafe?? Is it?
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
Quote:
public function getRealIpAddress() {
if (!filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP)) {
return false;
}
return mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
}
Thanks to Marjolein
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro :love:
So take care about your code and enable your logs
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Ryan
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro :love:
So take care about your code and enable your logs
The fist thing is true and not true.
Remote addr is just the ip that the seever recieves so you cant edit that...
But liks you said the HTTP_ headers can be edited and can contain a exploit
And its so true about the parameters that are the most exploits clientsids by the most emulors/mysqli websites
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Ryan
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro :love:
So take care about your code and enable your logs
You're totally right, this happened to me too.
Thanks for the fix.
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Ryan
Not only RevCMS
1). REMOTE_ADDR (HTTP_CF_CONNECTING_IP) - They can change their IP adres with a Google Chrome extension to something like 'rank='7'; so every page (index? register?) they save the IP (ip_last, ip_reg) but it can't run the current query, they close the query and start a new query to make them self admin (no db access, most of you (dutch hotels) are hacked by this exploit).
How to fix:
How to use:
Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress.
2). Parameters some emu's (enough here) don't use prepared statements so they can do some fun things with your retro :love:
So take care about your code and enable your logs
So if I read it good, you have to put the code "public function etc etc" in your core? Does it have a special place or doesn't it matter where you put it?
And 1 more thing bro, I don't understand this "Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress." Can you give me a example?
Re: [RevCMS] Unsafe?? Is it?
how can you do this in revcms and where?
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Serow
So if I read it good, you have to put the code "public function etc etc" in your core? Does it have a special place or doesn't it matter where you put it?
And 1 more thing bro, I don't understand this "Put this code in your core/whatever and use instead of $_SERVER shit use the function getRealIpAddress." Can you give me a example?
This is not a help section, sir.
Little tip: The place doesn't matter if you put it in the right global.php, core.php, class.core.php(?) one of them. And you can use it like UPDATE `users` SET `ip_last` = '".getRealIpaddress."' instead of ip_last = '".$_SERVER['HTTP_CF_CONNECTING_IP']."'
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Ryan
This is not a help section, sir.
Little tip: The place doesn't matter if you put it in the right global.php, core.php, class.core.php(?) one of them. And you can use it like UPDATE `users` SET `ip_last` = '".getRealIpaddress."' instead of ip_last = '".$_SERVER['HTTP_CF_CONNECTING_IP']."'
Last question, how to do it with a code like this : return mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Serow
Last question, how to do it with a code like this : return mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
You dont neee to filter remote addr because that is serverside. You only need tp filter the HTTP_ headers like the one from cloudflare HTTP_CF etc.
Next time ask your question in the help section.
Gr spot ify
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Spot Ify
You dont neee to filter remote addr because that is serverside. You only need tp filter the HTTP_ headers like the one from cloudflare HTTP_CF etc.
Next time ask your question in the help section.
Gr spot ify
Its a bit unclear, do you mean the one from cloudflare is safe or needs to be filtered?
Re: [RevCMS] Unsafe?? Is it?
The one of cloudflare needs to be filtered because you can send the same header with your browser.
And remote addr is just the TCP connection that the php gets from you and thats impossible to change it to a exploit.
@Under me jup thats safe
Re: [RevCMS] Unsafe?? Is it?
Quote:
Originally Posted by
Spot Ify
The one of cloudflare needs to be filtered because you can send the same header with your browser.
And remote addr is just the TCP connection that the php gets from you and thats impossible to change it to a exploit.
Oh, the REMOTE_ADDR also just works for me with cloudflare, so that is safe then?