Thread: TBDev Tobbies Edition
View Single Post
  #24  
Old 14th August 2008, 01:32
djlee's Avatar
djlee djlee is offline
Senior Member
  
Join Date: Mar 2008
Posts: 183
Default
ok im bored of bad sources lol .. its simple

1. change all htmlstrip functions to htmlspecialchars (or dont bother with um altogether as your only writting to a log)

2. if you cant be arsed changing them use the htmlstrip function posted earlier by a user whom i forgot his name.

3. THIS IS NOT A SECURITY PRECAUTION... what is really is if anything is a security problem.. by outputting the error your giving the script kiddie simple and easy to find information on the http web serving path of the server. From that the script kiddie can then hazzard a guess at your op system AND the path to everything within your server. most of you probably use the default http serving path setup by the http web server... this is usually determined by either the cpanel used to manage the sites on the server or in some cases on the operating system on the server (and its file system layout)... So by giving the undefined function error your simply giving the hacker more info to use against you

4. Another thing is this isn't no more of a security precaution as removing the writelog function completely.. the whole idea of the write_log thats there is to notify you of privilege escalation.. if the undefined function kills the php execution this means the writelog is never performed AND you dont get any info apart from knowing your site is dead due to a hacker .. no user id, no username.. no IP at hand so u better search the sql for that info cause it wont be in any log

the coder has tried to provide a secure code but has unfortunately failed to do so. Im not trying to be mean or nasty but if everyone were releasing unstanble code thered be a lot of unhappy people around spamming communities like ourselves.

I felt this needed to be posted in this manner to let you all know how unsecure this code is .. covering up a mess up with a security precaution idea is not good enough and it will cause major problems in the long run

i would suggest to tobbie to fix this error and r-check all his code .. there is a great xss and sql precaution thread on the tbdev forums that will help you find some of the more common errors and many code fixes posted in the mods section. If you can fix up the source and repost a better vesion im sure your source will receive a lot better reputation and i wish you all the best :)

gd luck and please make sure you rectify this main problem before people forget about your source and your hard work and time goes to waste
Reply With Quote
The Following 2 Users Say Thank You to djlee For This Useful Post:
gram (30th December 2009), nexztone (14th August 2008)