NamePros.Com - View Single Post - Image Hosting Script

Haha

But anyway I must point a secure hole in this old script,And I don't recommend you use it to build a serious image hosting site.Because it has lots of bugs not fixed.

I don't want you to wonder I am trying to stop others to download script and use it,so I post the secure hole here:
After installation,you can use

Code:

' or 1 or pass='

as username to login in admin apnel,althrough your username is not the one!

Solution:
Modify the login.php,line 13:

Code:

$db->setQuery("select * from setting where admin='$input[user]' and pass='$input[pass]'");

Change to:

Code:

$db->setQuery("select * from setting where admin='".mysql_escape_string($input[user])."' and pass='".mysql_escape_string($input[pass])."'");

If you want to use it,I recomend you apply the changes first!

05-07-2006, 10:10 PM	· #16
yabsoft NamePros Member Trader Rating: (0) Join Date: Sep 2004 Posts: 29 NP$: 10.00 (Donate)	Haha But anyway I must point a secure hole in this old script,And I don't recommend you use it to build a serious image hosting site.Because it has lots of bugs not fixed. I don't want you to wonder I am trying to stop others to download script and use it,so I post the secure hole here: After installation,you can use Code: ' or 1 or pass=' as username to login in admin apnel,althrough your username is not the one! Solution: Modify the login.php,line 13: Code: $db->setQuery("select * from setting where admin='$input[user]' and pass='$input[pass]'"); Change to: Code: $db->setQuery("select * from setting where admin='".mysql_escape_string($input[user])."' and pass='".mysql_escape_string($input[pass])."'"); If you want to use it,I recomend you apply the changes first! Please register or log-in into NamePros to hide ads