Version: , by radicaledward
Developer Last Online: Dec 2007
Version: Unknown
Rating:
Released: 03-12-2005
Last Update: Never
Installs: 0
No support by the author.
Recently a member on my forums found a way to change the usertitles of all members of the site (about 10k) using an SQL injection exploit that they found in the "Change Other User's Custom Title" section of the shop, however, it is likely that it may be in other parts as well.
The basic way that the did it was a work around of the addslashes() that the script uses in the query. However, based on my reading (and testing) replacing addslashes() with mysql_real_escape_string() should do the trick for preventing it.
Show Your Support
This modification may not be copied, reproduced or published elsewhere without author's permission.
Recently a member on my forums found a way to change the usertitles of all members of the site (about 10k) using an SQL injection exploit that they found in the "Change Other User's Custom Title" section of the shop, however, it is likely that it may be in other parts as well.
The basic way that the did it was a work around of the addslashes() that the script uses in the query. However, based on my reading (and testing) replacing addslashes() with mysql_real_escape_string() should do the trick for preventing it.
Recently a member on my forums found a way to change the usertitles of all members of the site (about 10k) using an SQL injection exploit that they found in the "Change Other User's Custom Title" section of the shop, however, it is likely that it may be in other parts as well.
The basic way that the did it was a work around of the addslashes() that the script uses in the query. However, based on my reading (and testing) replacing addslashes() with mysql_real_escape_string() should do the trick for preventing it.
I'll definately look into it. I'm sure it could happen in 0.95, but it shouldn't in 0.95b.
I could see how it could happen if they manipulate the "userid" in the form, but that is it. Can I get more info on this?
As far as I know the server is running 0.95b, I'm re-uploading the files just to be on the safe side. However, here is the text from one of the messages I got in regards to the issue:
Quote:
Quote:
Originally Posted by User message
Right, as you might have guessed, usertitles of every single ACF member were change to "LFF's +++++" twice and "Edman's +++++" to end it all up. No harm done, I was jsut having fun, and a bunch of people were having fun too. Now obviously, I did not spend 3 million gil and the tedious job of changing 10,000+ user titles.
There is an error in the store scripts. And it's bad. I'm not sure how much damage can be done to the forums using this, but I did not bother trying to find out. Basically put, the store's confirm page does not check if value is an INT type before passing it onto the SQL query.
As far as I know the server is running 0.95b, I'm re-uploading the files just to be on the safe side. However, here is the text from one of the messages I got in regards to the issue:
Alright. I guess that means 0.95c is coming out tonight.