xcoderx Posted July 17, 2009 Share Posted July 17, 2009 Ok first the prøöf its my site www.discussonline.in/rap/index.html and now my script www.discussonline.in/rap/index.php problem some people are being able to give themself the owner previlage and destroy things from site with owner tools, they manage to get into my id when im online but somehow grabs my session, i need help finding the holes and guidance to block the damn hacking. Link to comment Share on other sites More sharing options...
xcoderx Posted July 17, 2009 Author Share Posted July 17, 2009 One request please do not hijack or delete anything from my server other than this script :-) n thanks. Link to comment Share on other sites More sharing options...
xcoderx Posted July 24, 2009 Author Share Posted July 24, 2009 Wow not one single person helped or replied to my topic. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2009 Share Posted July 24, 2009 seems pretty solid to me Link to comment Share on other sites More sharing options...
xcoderx Posted July 24, 2009 Author Share Posted July 24, 2009 Lol bro its not. Its very much liquid Link to comment Share on other sites More sharing options...
lynxus Posted July 25, 2009 Share Posted July 25, 2009 Seems ok here also. Are you sure your not using just a weak password? make sure your forms do a lot of error checking. Cant really comment much more without seeing the code. Seems ok to me though. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 25, 2009 Share Posted July 25, 2009 checked his backend he needs to make sure he puts htmlspecialchars when he echoes stuff out example: <?php echo htmlspecialchars($sid); ?> also some of the echoes need to go its redundant to use echo echo for 800 lines. also i noticed the lack of sanitization used such as trim(),mysql_real_escape_string() Link to comment Share on other sites More sharing options...
xcoderx Posted July 26, 2009 Author Share Posted July 26, 2009 No am not using any weak password and yes i have not used real escape strings either so yes that must be a weak point too. Link to comment Share on other sites More sharing options...
waynewex Posted July 30, 2009 Share Posted July 30, 2009 xcoderx, PM me if you want me to take a look at your code. I've also noticed that one minute I'm logged in and the next I'm logged out? Are you using session_start() on everypage? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 31, 2009 Share Posted July 31, 2009 weird i never get logged out. i really hope he patched his CSRF issue where users were allowed to upload visual basic and javascript files. and also picture linking to non piture files. Link to comment Share on other sites More sharing options...
xcoderx Posted July 31, 2009 Author Share Posted July 31, 2009 hiya wayne yup bro am using sessiön at every page and also i set time for session to expire from my owner panel. But as dark freaks said it was al related with the image uploading n yup also real escape strings were lacking, the hackers got thru my session throut profile avatar link that i gave, thy put an external link to an reèral link, so everytime i visit a profile of a hacker they get my session and ruin it al pmpl, am working on it now and tryin to fix em al, i shiftd my script to another dir fa the time being. Link to comment Share on other sites More sharing options...
Recommended Posts