Click Here
home features news forums classifieds faqs links search
6071 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
» Home
» Features
» News
» Forums
» Classifieds
» Links
» Downloads
Extras
» OS4 Zone
» IRC Network
» AmigaWorld Radio
» Newsfeed
» Top Members
» Amiga Dealers
Information
» About Us
» FAQs
» Advertise
» Polls
» Terms of Service
» Search

IRC Channel
Server: irc.amigaworld.net
Ports: 1024,5555, 6665-6669
SSL port: 6697
Channel: #Amigaworld
Channel Policy and Guidelines

Who's Online
28 crawler(s) on-line.
 73 guest(s) on-line.
 0 member(s) on-line.



You are an anonymous user.
Register Now!
 Kremlar:  8 mins ago
 Rob:  12 mins ago
 Gunnar:  21 mins ago
 dirkzwager:  35 mins ago
 clint:  40 mins ago
 vox:  47 mins ago
 pixie:  58 mins ago
 NutsAboutAmiga:  1 hr 3 mins ago
 zipper:  1 hr 38 mins ago
 Templario:  1 hr 44 mins ago

Amigaworld.net News   Amigaworld.net News : (exploit) LastPosts now restored
   posted by Anonymous on 13-Feb-2004 10:02:31 (2756 reads)
This has now been patched on the main site and Kent has also been advised of what is needed. That is at least for the exploits we have managed to find Hopefully if theres more we will get testcases shared to find it.

Thanks also to Orgin.


Due to security concerns over the "lastposts" moduleset raised by Kent over amiga.org we had temporarily suspended them.

We, with a hint from Kent about the kind of problems he was seeing on Xoops.org, figured out what the defect was and Xoops developers need to SAFE or ESCAPE the results of the query used by lastposts modules to avoid scripts being run on the client box when the page is generated and viewed.

See source in comment 1.
    

STORYID: 1211
Related Links
· More about Amigaworld.net News



Printer Friendly Page  Send this Story to a Friend

PosterThread
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 10:52:49
# ]



This is the code XOOPS site owners need to add, it will become obvious where.

$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);

echo "  ".$topic_title."";

There may be more vulnerabilities but this is the obvious one.

The module will be restored soon.

Dave.

 
     Report this post  
Mikey_C 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 11:55:49
#2 ]
Elite Member
Joined: 7-Mar-2003
Posts: 3060
From: Unknown

Nicely Done Lads,

I am proud to be on the same team!

Now, any chance of fixing the no. of hits cheat? seems to have stopped working!



Mikey C


_________________
No cause is lost if there is but one fool left to fight for it.

 Status: Offline
Profile     Report this post  
L8-X 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:03:00
#3 ]
Elite Member
Joined: 24-Dec-2002
Posts: 2630
From: Glasgow, UK

@Mikey_C

No it was disabled after we were rumbled by someone.


_________________

 Status: Offline
Profile     Report this post  
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:05:28
# ]



Guys some people have no sense of humour, you might get taken seriously you know.

 
     Report this post  
Mikey_C 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:08:14
#5 ]
Elite Member
Joined: 7-Mar-2003
Posts: 3060
From: Unknown

moi?

never


_________________
No cause is lost if there is but one fool left to fight for it.

 Status: Offline
Profile     Report this post  
Darth_X 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 15:11:16
#6 ]
Elite Member
Joined: 1-Jun-2003
Posts: 2997
From: Vancouver Island, Canada

Great Job guys!


_________________
Men who have girlies in their avatars are Girliemen!

 Status: Offline
Profile     Report this post  
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 16:03:14
# ]



So far this fix is looking pretty solid, I haven't been able to hack into the DB yet with it installed. I'm going to work on updating the code to current and make it a bit more configurable if I can. Thanks for the help on this.

 
     Report this post  
Bodie_CI5 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 22:58:39
#8 ]
Elite Member
Joined: 29-Jul-2003
Posts: 6739
From: Unknown

WTF are you ruddy geezers on and/or on about?!


_________________

 Status: Offline
Profile     Report this post  
The_Editor 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 23:24:11
#9 ]
Elite Member
Joined: 7-Mar-2003
Posts: 7629
From: 192.168.0.02 ..Pederburgh .. Iceni

Its technical !!


_________________
******************************************
I dont suffer from Insanity - I enjoy it

******************************************

 Status: Offline
Profile     Report this post  
Bodie_CI5 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 23:49:02
#10 ]
Elite Member
Joined: 29-Jul-2003
Posts: 6739
From: Unknown

@ Eddy

O I C



_________________

 Status: Offline
Profile     Report this post  
[ home ][ about us ][ privacy ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright (C) 2000 - 2019 Amigaworld.net.
Amigaworld.net was originally founded by David Doyle