MuWeb 0.8 (Hack Fixed, 21.04.2008) - updated

Downloads:

http://www.sendspace.com/file/c0x57u
RapidShare: 1-Click Webhosting

What have been changed?

• index.php
• modules/user.php
• modules/user/uploadscreen.php
• modules/user/mail.php
• logs.php
• includes/web_modules.php
• includes/mail_functions.php
• includes/admin_functions.php
• modules/user/request.php

problems solved:

• mail - fixed.
• xss -fixed.
• php injection - fixed.
• lfi - fixed.

notice:
i fixed the shell i left there http://www.muweb.org/images/smilies/biggrin.gif thx all

Credits
- MadCodeX & = Master =

enjoy!
:drinks_no

Approved, use this at your own risk.

Thanks for this update.

Thanks for posting here:jester:

Can you plss Share only the Code for Index PHP so we dont need to edit Our Index from Sratch...

MuWeb=0% Securiti Can Be Injected Can Be Hacked from Profile.php User Gallery.php and more
muweb have good templates but bad protection in a forum i see 300 user ho get sql inject in 1 day with muweb 0.8 :poster_ss

thanks , nice nice ^^.

10/10

MadCodeX from lasthopemu hacked alot of other mu site..

don't trust him!!!!

sql injection fixed?

nice update i have instaled this muweb and today they deleted my "MuOnline" database and "Ranking"...

Quote:

---

Originally Posted by Dorin1

nice update i have instaled this muweb and today they deleted my "MuOnline" database and "Ranking"...

---

read my post from 2 rows top.

madcodex is a hacker.

he will put redirec sites to lashopemu in your server.

Thank you.

lets see will =Master= approve this

100% protect ?

Quote:

---

Originally Posted by gum12345

MadCodeX from lasthopemu hacked alot of other mu site..

don't trust him!!!!

---

we all trust =Master= and master trust him

Quote:

---

Originally Posted by Fant0ma

MuWeb=0% Securiti Can Be Injected Can Be Hacked from Profile.php User Gallery.php and more
muweb have good templates but bad protection in a forum i see 300 user ho get sql inject in 1 day with muweb 0.8 :poster_ss

---

true,true,true ......

Its damn true.... in my dabase was delete .. those tables :

1.Character
2.Memb_info

Without those the server its down.....


I whant help with this injections.... (If some one know more about PHP)

hmm i've tested this and it really works ... no hack for the moment ... so i can say that it works and it's aproved by Master ...

thx great :)

Quote:

---

Originally Posted by baitzashul

true,true,true ......

Its damn true.... in my dabase was delete .. those tables :

1.Character
2.Memb_info

Without those the server its down.....


I whant help with this injections.... (If some one know more about PHP)

---

Yep, me too.

Someone just delete the Char and Memb_info table...

Had to restore but I had backup lol.

A lot of servers got this problem in the past week ...

What's happening?:juggle:

Not cool...

Only fcking guys... :poster_ss

=Master= = Noob
MuWeb= 0% Protection
Result A Noob Coder+A Noob Web trust me u will have all problems with hakers use mutoolz peopel trust me :poster_ss

and why you use his scripts? :)) master is not noob,you are.Try to do what master do(mu web 0.1-0.8) and after you can say master is noob.

I dont think hi did this "security" upgrade,why he dont post it here?In his forum is posted a upgrade like this but nobody complains problems!

Quote:

---

Originally Posted by Jumeirah

Yep, me too.

Someone just delete the Char and Memb_info table...

Had to restore but I had backup lol.

A lot of servers got this problem in the past week ...

What's happening?:juggle:

Not cool...

Only fcking guys... :poster_ss

---

ready for some nightmare..

ppl asking why rollback..... >_< and you can't restore only 2 those.
or it will not allowed new registrations.

must do full restore.

i got charater+mem_info delete. 2 time....... not this script but my fix one. with fix hacked.

i think it;s a new hold in muweb..

watch out!!!!

index.php is still unsecure!!!

can u show us some protection??

and topmu got nice WEB.!

well then post here what other bugs has muweb so we can fix them

Maybe better to make a guide "How to protect webserver" because even if the website is 101% secure, the webserver can still be hacked... ?

it seems secured... and approved by Master ... so don't worry ;) use it ...

i don`t aprove this thread, i don`t have time to check all files

Quote:

---

Originally Posted by Fant0ma

=Master= = Noob
MuWeb= 0% Protection
Result A Noob Coder+A Noob Web trust me u will have all problems with hakers use mutoolz peopel trust me :poster_ss

---

what a little poor kid like u, 13 years old know about PHP? wtf this is a fuc** free project no one pay me to do this, i reserv all my rights on this, want a good webie? fine rent a coder and get out of here.

more of this it might be ur fault, all of you donwload from mirror links that have been posted by xxx users, that mirror with download might contains worms inside files and etc...

Quote:

---

Originally Posted by Fant0ma

=Master= = Noob
MuWeb= 0% Protection
Result A Noob Coder+A Noob Web trust me u will have all problems with hakers use mutoolz peopel trust me :poster_ss

---

Eng: Fantoma you are a motherfucking bullshit rapist without future i fuck your mom in all 69 positions you fucking asshole. Show me what u did since u born u motherfucker, not in 100 years can u do what =Master= did! i fuck myself into your mum and all your gipsy family

Ro: Fantoma esti un futator de mama cacat impushcat violator fara viitor, ma fut in mata in toate 69 pozitii gaura in cur fututa ce esti. Arata-mi ce ai facut tu decand te-ai nascut futatorule de mama, nici in 100 de ani nu poti face ce a facut =Master=! ma fut in mata si in toata familia ta de tigani

Quote:

---

Originally Posted by LoveGod

Eng: Fantoma you are a motherfucking bullshit rapist without future i fuck your mom in all 69 positions you fucking asshole. Show me what u did since u born u motherfucker, not in 100 years can u do what =Master= did! i fuck myself into your mum and all your gipsy family

Ro: Fantoma esti un futator de mama cacat impushcat violator fara viitor, ma fut in mata in toate 69 pozitii gaura in cur fututa ce esti. Arata-mi ce ai facut tu decand te-ai nascut futatorule de mama, nici in 100 de ani nu poti face ce a facut =Master=! ma fut in mata si in toata familia ta de tigani

---

en: lol
ro: :))

EN: i think he have right :P (lovegod)
RO: cam are dreptate lovegod si master,fantoma fura lucrari si si le insuseste si ii mai si face noobi pe aia care le face cu adevarat,fantoma,dak master ii noob tu la ce stadiu esti,undeva pe la vierme ?

Admins please delete this post ! It is evil ^^
P.S. Things are getting ugly lol ^^

working this inject index.php?news='';shutdown;-- ! please fix it! And woking others op what is selecting from DB. Thx!

FIXED:

I was need to change in web_modules.php this:

Code:

---

function modules(){
      if(isset($_GET['op'])){
        $op = $_GET['op'];
                $g = chr(92);
        $op = str_replace($g , "", $_GET['op']);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
      if (is_file("modules/".$op.".php")) {
                  include("modules/".$op.".php");
       
      } else {       
                require("config.php");
                Echo ("<br>$warning_start Module $op Could Not Be Found By MuWeb! $warning_end<br>");
      }
  }
}

function user_modules(){
      if($_GET['option']) {
        $op=$_GET['option'] ;
                $g = chr(92);
        $op = str_replace($g , "", $_GET['op']);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
        $adr='./modules/user/'.$op.'.php' ;
      include($adr);
      }
    }

---

To this:

Code:

---

function modules(){
      if(isset($_GET['op'])){
        $op = $_GET['op'];
                $g = chr(92);
        $op = str_replace($g , "", $op);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
      if (is_file("modules/".$op.".php")) {
                  include("modules/".$op.".php");
       
      } else {       
                require("config.php");
                Echo ("<br>$warning_start Module $op Could Not Be Found By MuWeb! $warning_end<br>");
      }
  }
}

function user_modules(){
      if($_GET['option']) {
        $op=$_GET['option'] ;
                $g = chr(92);
        $op = str_replace($g , "", $op);
        $op = str_replace("/" , "", $op);
        $op = str_replace("%00" , "\0", $op);
        $op = str_replace("?" , "", $op);
        $op = htmlspecialchars($op);
        $adr='./modules/user/'.$op.'.php' ;
      include($adr);
      }
    }

---

Quote:

---

Originally Posted by baitzashul

true,true,true ......

Its damn true.... in my dabase was delete .. those tables :

1.Character
2.Memb_info

Without those the server its down.....


I whant help with this injections.... (If some one know more about PHP)

---

They inject using your lostpassword and email through the registration if you remove those access points muweb 0.8 is fairly secure if you have an idea on how to read logs and check which modules are being used, my suggestion is continue using 0.8 but, do some reading up when it comes to infiltratition to your server.

Web vulnerability sql inject...

I have problems in administrator.php
Some hackers can edit account and chars :o((