PHPRetro exploit?

Hello, I was browsing through PHPRetro looking for exploits when I spotted

PHP Code:

---

function delete1(){
        @$GLOBALS['serverdb']->query("TRUNCATE TABLE users");
    } 


---

Apparently it's used for when you install phpretro but i'm not sure if this is used anywhere else in the CMS.

What do you think?

Edit: After reading through the code again, I noticed that Yifan left a note..
I'm pretty sure you have to delete the install functions after you install the cms.

"//You may delete the installer_sql(); class after installing"

So id probably recommend deleting the install functions.

should be in discussions..
not releases
and wow

Quote:

---

Originally Posted by Cobe

should be in discussions..
not releases
and wow

---

Yeah I realised I posted in wrong section after I clicked submit :S

its under core of install, it's being used for the install

Quote:

---

Originally Posted by Supers'X

its under core of install, it's being used for the install

---

Yeas but I am just stating it is better to delete it for security reasons as if the function is called apon in another part of the CMS than your users table will be deleted ;D

nothing can happen useless you call that function.. no exploit at all

---------- Post added at 09:43 AM ---------- Previous post was at 09:43 AM ----------

regarding your reply, its only used in the install but you can delete if if you like lol

Quote:

---

Originally Posted by Cobe

should be in discussions..
not releases
and wow

---

It shouldn't be in discussions as the discussions section is for real habbo, not retros :)

ONT: I'm not good with cms so I don't know what it's for xD

Lol, when I use my PHPRetro, I set it up, then when I try to login, go to the housekeeping, it says, 'Page not found!' why? any clue? thankz ;) if you help me Ill make you admin on my retro! :O

You have to activate that function in order for it to work.

Yea say someone releases a "addon" and if they are sneaky they can use a $_GET to activate that function so it is probably best to delete it?

You can delete your own threads in this section hayden.

This isnt exploitable... And you wouldnt be able to run a function via $_GET..

Quote:

---

Originally Posted by LMC

This isnt exploitable... And you wouldnt be able to run a function via $_GET..

---

Yea if you did
if($_GET['exploit'] == true) {
trigger the function...
}

Like you're going to make your own website exploitable.

No entirely sure if this would work...

PHP Code:

---

<?php

$delete =  function delete1(){ @$GLOBALS['serverdb']->query("TRUNCATE TABLE users"); }

if($delete===false){
echo"Oh noes, didn't work!"
}else{
echo $delete
}
?>

---