The member Mr. Bird Poo, just informed me of a nice bug thats been on the forum for over 1 year! Its now been fixed though, but let me explain.
Members have to go through the Advanced Members group join process. However due to a small bug in the code, a vital piece of checking was missed out. This meant that any member who asked to gain access, had access without me even accepting! Thats right, you simply joined up to the group and awaited my accept or deny but you had access anyway. The forums were protected, but the FTP servers page was not.
$query = mysql_query("SELECT * FROM `$usergroup_table` WHERE `group_id`='$group' AND `user_id`='$user_id' AND `user_pending`=0") or die(mysql_error());
All I did was add
to the MySQL query, and problem solved! How simple was that, and it took me under 2 minutes of looking in phpMyAdmin for the table that gave me the information.
Well, anyone who used this exploit was very very careful not to give it away. I hope this is one step further to stopping people from accessing the FTP's without the proper permissions.
Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.
Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now.
I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private )
_________________ Thought #nttalk was the only beta-related chatroom? You thought wrong! Join #abandonet on RoL today - the honest alternative!
Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now. I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private )
They couldn't because it was a protected forum before, not a page I coded. Only since the servers page could people do it, and now they can't.