Project U-232 - Page 37

BamBam0077 · #**361** 19th August 2015, 19:51

Forgive me for my input. Thought people would appreciate.

I am dealing with multiple things atm thought u-232 people should know that but whatever right.

Sorry!

Bigjoos · #**362** 22nd August 2015, 18:35

The wrapper name is completely irrelevant as its only a php wrapper, I could name it $CUNT - $FUCKER - $$I_CONTAIN_UNSANITIZED _CODE - Makes not a jot of difference however the code I deploy within my wrapper does, firefly already mentioned, If i don't sanitize output from db to screen or if i don't protect sql querys then I'm in trouble. This shit is child's play, been advising people of its importance and how to do it for years on TBdev =]

Below is great, I could inject for fun and pawn any db using it

PHP Code:


			
sql_query("UPDATE users SET seedbonus = seedbonus-$INSTALLER09['bonus_per_delete'] WHERE id = $q["owner"]) or sqlerr(__FILE__, __LINE__);

Sqlesc applied on the query stops any injection period

PHP Code:


			
sql_query("UPDATE users SET seedbonus = seedbonus-".sqlesc($INSTALLER09['bonus_per_delete'])." WHERE id = " . sqlesc($q["owner"])) or sqlerr(__FILE__, __LINE__);

No htmlspecialchars on output means I can deploy an XSS attack with ease and you won't have a clue its been deployed and I'll have you redirected to some other server

So sanitize any output before printing to screen

PHP Code:


			
$HTMLOUT.= "<tr>
    <td align='right'><font color='red'>&nbsp;*&nbsp;</font><b>&nbsp;{$lang['edit_comment']}</b></td>
    <td>
    <select name='allow_comments'>
    <option value='" . $row["allow_comments"]. "'>" .$row["allow_comments"]. "</option>
    <option value='yes'>Yes</option><option value='no'>No</option></select>{$messc}</td></tr>\n";

At a minimum

PHP Code:


			
$HTMLOUT.= "<tr>
    <td align='right'><font color='red'>&nbsp;*&nbsp;</font><b>&nbsp;{$lang['edit_comment']}</b></td>
    <td>
    <select name='allow_comments'>
    <option value='" . htmlsafechars($row["allow_comments"]) . "'>" . htmlsafechars($row["allow_comments"]) . "</option>
    <option value='yes'>Yes</option><option value='no'>No</option></select>{$messc}</td></tr>\n";

I'm not naive, security is taken seriously on U-232 and I ain't no mug that does not understand its usage nor its importance, sure I'll have missed a odd one out of thousands but in general U-232 is tight. And thats not fool proof, experienced operators will gain access if they try hard enough, there's plenty out there trying on a daily basis =]

BamBam0077 · #**363** 22nd August 2015, 19:56

Hint bro variables should never be used for echo print unless defined but that still is risky. If i am wrong i'll bow down and look back through my libary of life and tell you i was wrong. 98.7% I am correct though. I know you take security serious i just was passing over some info i learnt when i 15years old security and an idea.

I used this when i was 13yrs old but only wanted it to host so i could give out free html / css scripts. http://phorum.org learnt something unique about it once i found again on my birthday it is hackproof and bulletproof been round since 98 i believe the year after md5 was hacked.

If anyone truely cared about security would sha5() with double_check() not sha1, sha2, sha3, sha4 lol

Virginia25 · #**364** 13th May 2016, 14:32

Hello i have an error to project u232 v4

I have install https://github.com/Bigjoos/U-232-V4 on debian 7 wheezy
and therefore I can not have the installer

the error is
internal server error
The server encountered an internal error or misconfiguration and was unable to complete your request.

excuse me for my English but I'm French.

Why ?

DND · #**365** 13th May 2016, 16:19

your server is not properly configured.
make sure you have module expires and module rewrite activated in apache2/nginx

Virginia25 · #**366** 13th May 2016, 18:42

Or I can know if these files are enabled or not ?

virtualhost ?

DND · #**367** 13th May 2016, 18:50

dont install trackers on shared hosting. best chances are wont work and you dont have administrator access to install what is required.

Virginia25 · #**368** 13th May 2016, 18:58

im an administrator and login to root and i have install command etc....
and i have install first version of U232 no soucis but i'm search how to install V4 ?

DND · #**369** 13th May 2016, 19:42

then use phpinfo in a file to see the information on your modules
or user a2enmod rewrite and a2enmod expires
then restart apache and voila

Virginia25 · #**370** 13th May 2016, 19:52

thank you very much Dnd it's ok for rewrite and expire and i have access to installer thanks

View Poll Results: NEW tracker source: Project U-232
I will give it a try	440	77.33%
No, i`m using another source	72	12.65%
XAM is my hero, i`m sticking to Template Shares	57	10.02%
Voters: 569. You may not vote on this poll