Quick fix for the Cype ranking exploit.
This quickly fixes up the SQL injectable portion of the ranking system in CypeCMS.
Open up Ranking.php, and find:
Replace that entire line with:
Code:
if(@$order && (@$order == "fame" or @$order == "reborns" or @$order == "wins" or @$order == "level")) {
That makes it so if the order parameter isn't either level, reborns, wins, or fame, it'll switch to the default order (which, on most servers, would be by rebirths).
Edit: I forgot to mention, thanks to StefanCandan for finding the exploit. :)
Re: Quick fix for the Cype ranking exploit.
Heh, np. Just trying to make Maple ps's more secure :3
Re: Quick fix for the Cype ranking exploit.
Other than that, there's another exploit with cype or perhaps more.
That's the reason why I am not using it for Celino, which was once database hacked a week after it first started.
Also, the ranking system takes ridiciously a whole lot of resources.
Re: Quick fix for the Cype ranking exploit.
Quote:
Originally Posted by
LightPepsi
Other than that, there's another exploit with cype or perhaps more.
That's the reason why I am not using it for Celino, which was once database hacked a week after it first started.
Also, the ranking system takes ridiciously a whole lot of resources.
Hmm. I'll look around for any possible SQL injectable areas, but from what I know, I haven't found any yet.
Also, that is true. I think it's because the rankings check if the character's equips, hair, or face change so often. Besides that, Cype seems to have a whole bunch of unneeded features (just to note one, the mail system. Most servers have forums, with the PM system. The mail system looks like it would be one of those SQL injectable places though. I'm gonna go look around there and see if I can find anything).
Re: Quick fix for the Cype ranking exploit.
I built in exploits to Cype. o.o
Re: Quick fix for the Cype ranking exploit.
Re: Quick fix for the Cype ranking exploit.
Good job.
Now the noobs only have to figure out how to open a .php file!
Re: Quick fix for the Cype ranking exploit.
Quote:
Originally Posted by
theRice
Good job.
Now the noobs only have to figure out how to open a .php file!
They know how to open it, just not to edit it.
Re: Quick fix for the Cype ranking exploit.
PuppyKevin here is a small tip.
I benchmarked worded "or" statements to be 0.01 ms slower than the proper formatted "||" just letting you know :P
Re: Quick fix for the Cype ranking exploit.
Quote:
Originally Posted by
theRice
Good job.
Now the noobs only have to figure out how to open a .php file!
I'm sure no one is retarded enough to
1). Double Click
2). Right click: Edit
3). Highlight press enter.
Re: Quick fix for the Cype ranking exploit.
...does this REALLY affect mysql stuff?
If it does, Cype has gotten crappier since i've left.
