xCMS

[Oceanic]

Changed thing:
0.2- Rewrote most code, added plugins, fixed Highscore bug, new layout
0.16 - Md5 support (Idea: Simonel)
0.15 - Improved ajax (Geisor.pl)
0.14 - Improved security (Talaturen)
0.13 - Ajax search
0.122 -Fixed character bug
0.12 - Char check when posting comments
0.11 - Fixed bugs, escaped all forms. Improved security
0.1 - First release


Skins:

• [xCMS Skin] T-WebClient by DeGhost

Info:

• Post news
• Character search
• Recover system
• Highscore
• Change Password
• Character image
• Character comment
• BBcode system

Credits;

• Geisor.pl
• Talaturen
• Master-m
• Koitsalu

Coming:

• Improved admin-panel
• Guild funcions

Looking for some one that want to make the page layout.
Pm me

 

[Mark]

This is vulnerable to SQL injections aswell.

 

[Oceanic]

This is vulnerable to SQL injections aswell.

Where did you find any? :huh:

 

[Mark]

account.php

<?
////////////////////////////////////
//	New Character
////////////////////////////////////

if(!empty($_POST["account_charname"]) && !empty($_POST["voc"]) && $_SESSION["logged_in"] == 1){
	
	if(preg_match("/^[A-Z][a-z]{1,20}([ '-][A-Za-z][a-z]{1,15}){0,3}$/", $_POST["account_charname"])){
		
		$account_number = $_SESSION["account_number"];
		$name = $_POST["account_charname"];
		$sex = $_POST["sex"];
		$voc = $_POST["voc"];
		
		$player_check = mysql_query("SELECT * FROM players WHERE name='$name'") or die(mysql_error());
	
			if (mysql_num_rows($player_check) == 0){
		
			//Players
	
			mysql_query("INSERT INTO players(name, account_id, level, vocation, health, healthmax, experience, lookbody, lookfeet, lookhead, looklegs, lookaddons, maglevel, mana, manamax, town_id, posx, posy, posz, conditions, cap, soul, sex) values('$name', '$account_number', '$startlevel', '$voc', '" .$start_hp. "', '" .$start_hp. "', '$start_exp', '121', '141', '59', '116', '0', '$start_magiclevel', '$start_mana', '$start_mana', '1', '$posx', '$posy', '$posz', '0', '$start_cap', '100', '$sex')") or die(mysql_error());

$voc and $sex can be POSTED as anything they're neither being typecasted to int or escaped.

EDIT: There's alot more, just posting one more as I don't have time to go thru all your code...

comments.php:

if(!empty($_POST["Comments_Text"]) && !empty($_POST["Comments_Character"]) && $_SESSION["logged_in"] == 1){
	$text = $_POST["Comments_Text"];
	$char = $_POST["Comments_Character"];
	$id = $_GET["id"];
	mysql_query("INSERT INTO `xcms_news_comments` (`id`,`text`,`to_id`,`by`) VALUES (NULL,'$text','$id','$char')") or die(mysql_error());
}

 

[Kayan]

Yeh realy x.x

 

[Oceanic]

Updated so it is escaped

 

[Mark]

Comments are still not fixed, and you can still set voc and sex to like 30.

 

[Oceanic]

Comments are still not fixed, and you can still set voc and sex to like 30.

Added check, escaped all strings in all $_POST

 

[Mark]

You can still spoof the comments character, there's no check to see if the character is on posters account.

 

[Oceanic]

You can still spoof the comments character, there's no check to see if the character is on posters account.

I can fix that in 2 seconds tomorrow, don't think so many people use firebug to change it. Worst that can happend is a wrong posted comment

 

[Mark]

You don't really need Firebug to do it, but w/e another bug in register.php:

$_POST["Register_number"] >= 100000 || [B]$_POST["Register_number"] [U]>=[/U] 99999999[/B]){

 

[Oceanic]

You don't really need Firebug to do it, but w/e another bug in register.php:

$_POST["Register_number"] >= 100000 || [B]$_POST["Register_number"] [U]>=[/U] 99999999[/B]){

Oops shall be <=

 

[Mark]

POST's in admin.php doesn't seem to be escaped either, you probably think it's unnecessary because admins wouldn't hack their own server or you just missed it but what if they want to post something that contains '? It'll give them some MySQL error .

 

[Oceanic]

POST's in admin.php doesn't seem to be escaped either, you probably think it's unnecessary because admins wouldn't hack their own server or you just missed it but what if they want to post something that contains '? It'll give them some MySQL error .

If some one has admin access they dont need to hack the server
But sure i can escape it

 

[Fare]

gogo good work, keep it developing!

 

[Oceanic]

gogo good work, keep it developing!

Working as fast as i can, but shall go down to town and drink and eat pizza.
So dont trust updates when im drunk, coding tomorrow instead

 

[kornholi]

aham owww

 

[hiperkarma]

lol oceanic talaturen owns you

You rather think of any possible hacking issues to make a good AAC and not something that could be hacked by injections

 

[Fare]

hahaha xd rox)

 

[Oceanic]

lol oceanic talaturen owns you

You rather think of any possible hacking issues to make a good AAC and not something that could be hacked by injections

Most part is hacking safe, all form is escaped, all echos is htmlspecialchars(). Now i shall check all form posts