Click HereClick Here
home features news forums classifieds faqs links search
5241 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
Home
Features
News
Forums
Classifieds
Links
Downloads
Extras
OS4 Zone
IRC Network
AmigaWorld Radio
Newsfeed
Top Members
Amiga Dealers
Information
About Us
FAQs
Advertise
Polls
Terms of Service
Search

IRC Channel
Server: irc.amigaworld.net
Channel: #Amigaworld
Channel Policy and Guidelines

(Uses JAVA Applet and Port 1024)
Visit the Chatroom Website

Who's Online
 61 guest(s) on-line.
 1 member(s) on-line.


 zzd10h

You are an anonymous user.
Register Now!
 zzd10h:  4 mins ago
 Raziel:  5 mins ago
 amigakit:  12 mins ago
 Vidar:  18 mins ago
 Musashi5150:  25 mins ago
 phoenixkonsole:  50 mins ago
 wolfe:  55 mins ago
 amigadave:  1 hr 37 mins ago
 samo79:  1 hr 39 mins ago
 kyle:  1 hr 45 mins ago

Amigaworld.net News   Amigaworld.net News : (exploit) LastPosts now restored
   posted by Anonymous on 13-Feb-2004 10:02:31 (1747 reads)
This has now been patched on the main site and Kent has also been advised of what is needed. That is at least for the exploits we have managed to find Hopefully if theres more we will get testcases shared to find it.

Thanks also to Orgin.


Due to security concerns over the "lastposts" moduleset raised by Kent over amiga.org we had temporarily suspended them.

We, with a hint from Kent about the kind of problems he was seeing on Xoops.org, figured out what the defect was and Xoops developers need to SAFE or ESCAPE the results of the query used by lastposts modules to avoid scripts being run on the client box when the page is generated and viewed.

See source in comment 1.
    

Related Links
· More about Amigaworld.net News



Most read story about Amigaworld.net News
Official OS4 Screenshots from Hyperion

Last news about Amigaworld.net News
SQLite Manager updated
Printer Friendly Page  Send this Story to a Friend

PosterThread
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 10:52:49
# ]



This is the code XOOPS site owners need to add, it will become obvious where.

$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);

echo "  <a href='".XOOPS_URL."/modules/newbb/viewtopic.php?topic_id=" . $arr["topic_id"] . "&forum=" . $arr["forum_id"] . "'>".$topic_title."</a>";

There may be more vulnerabilities but this is the obvious one.

The module will be restored soon.

Dave.

 
     Report this post  
Mikey_C 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 11:55:49
#2 ]
Elite Member
Joined: 7-Mar-2003
Posts: 3053
From: Unknown

Nicely Done Lads,

I am proud to be on the same team!

Now, any chance of fixing the no. of hits cheat? seems to have stopped working!



Mikey C

 Status: Offline
Profile     Report this post  
L8-X 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:03:00
#3 ]
Elite Member
Joined: 24-Dec-2002
Posts: 2630
From: Glasgow, UK

@Mikey_C

No it was disabled after we were rumbled by someone.

 Status: Offline
Profile     Report this post  
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:05:28
# ]



Guys some people have no sense of humour, you might get taken seriously you know.

 
     Report this post  
Mikey_C 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 12:08:14
#5 ]
Elite Member
Joined: 7-Mar-2003
Posts: 3053
From: Unknown

moi?

never

 Status: Offline
Profile     Report this post  
Darth_X 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 15:11:16
#6 ]
Elite Member
Joined: 1-Jun-2003
Posts: 2987
From: Vancouver Island, Canada

Great Job guys!

 Status: Offline
Profile     Report this post  
Anonymous 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 16:03:14
# ]



So far this fix is looking pretty solid, I haven't been able to hack into the DB yet with it installed. I'm going to work on updating the code to current and make it a bit more configurable if I can. Thanks for the help on this.

 
     Report this post  
Bodie_CI5 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 22:58:39
#8 ]
Elite Member
Joined: 29-Jul-2003
Posts: 6739
From: Unknown

WTF are you ruddy geezers on and/or on about?!

 Status: Offline
Profile     Report this post  
The_Editor 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 23:24:11
#9 ]
Elite Member
Joined: 7-Mar-2003
Posts: 7625
From: 192.168.0.02 ..Pederburgh .. Iceni

Its technical !!

 Status: Offline
Profile     Report this post  
Bodie_CI5 
Re: LastPosts temporarily unavailable
Posted on 13-Feb-2004 23:49:02
#10 ]
Elite Member
Joined: 29-Jul-2003
Posts: 6739
From: Unknown

@ Eddy

O I C


 Status: Offline
Profile     Report this post  
[ home ][ about us ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright 2000 - 2011 Amigaworld.net.

Page took 0.111183 seconds to load.