hellfire88

Forum Replies Created

Viewing 3 replies - 1 through 3 (of 3 total)
  • Forum: Reviews
    In reply to: [Download Manager] dangerous code
    Thread Starter hellfire88

    (@hellfire88)

    12 years, 2 months ago

    yup, that was another component, but yet, run some security checks on your code. none of our GET inputs are filtered and checked against CSR/XSS, this is like opening your user’s sites to everybody. when running ‘RIPS’ over your folder you will see how dangerous your code is. this is simply irresponsible what you’re doing to your users but apparently you dont seem to care at all, just picking up money for your trash.

    Forum: Reviews
    In reply to: [Download Manager] dangerous code
    Thread Starter hellfire88

    (@hellfire88)

    12 years, 2 months ago

    This is the worst :
    $download_template_header = trim($_POST[‘download_template_header’]);
    $download_template_footer = trim($_POST[‘download_template_footer’]);
    $download_template_pagingheader = trim($_POST[‘download_template_pagingheader’]);
    $download_template_pagingfooter = trim($_POST[‘download_template_pagingfooter’]);
    $download_template_none = trim($_POST[‘download_template_none’]);
    $download_template_category_header = trim($_POST[‘download_template_category_header’]);
    $download_template_category_footer = trim($_POST[‘download_template_category_footer’]);
    $download_template_listing[] = trim($_POST[‘download_template_listing’]);
    $download_template_listing[] = trim($_POST[‘download_template_listing_2’]);
    $download_template_embedded[] = trim($_POST[‘download_template_embedded’]);
    $download_template_embedded[] = trim($_POST[‘download_template_embedded_2’]);
    $download_template_download_page_link = trim($_POST[‘download_template_download_page_link’]);
    $download_template_most[] = trim($_POST[‘download_template_most’]);
    $download_template_most[] = trim($_POST[‘download_template_most_2’]);
    $update_download_queries = array();

    this against all good practices, filling templates with unfiltered post variables; Seriously, if you have any locality toward your users, you must take this component down and warn your user about possible CSR and XSS attacks. In the mean time verify https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet with your code. its like your users sites to all sort of attacks…jeez

    Forum: Reviews
    In reply to: [Download Manager] dangerous code
    Thread Starter hellfire88

    (@hellfire88)

    12 years, 2 months ago

    simply take one of the scanners from here: http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html and scan your source folder, there are so many buffer overflow and wrong escaping issues that you will busy for quite a while to fix them all; and again, please read at least some PHP security books and go through your code line by line

Viewing 3 replies - 1 through 3 (of 3 total)