View topic - Huge FTP access bug fixed!!! - Windows, Apple, Application, Abandonware and Game Beta Downloads/Repository

Andy

Hello all,

The member Mr. Bird Poo, just informed me of a nice bug thats been on the forum for over 1 year! Its now been fixed though, but let me explain.

Members have to go through the Advanced Members group join process. However due to a small bug in the code, a vital piece of checking was missed out. This meant that any member who asked to gain access, had access without me even accepting! Thats right, you simply joined up to the group and awaited my accept or deny but you had access anyway. The forums were protected, but the FTP servers page was not.

Code:

$query = mysql_query("SELECT * FROM `$usergroup_table` WHERE `group_id`='$group' AND  `user_id`='$user_id' AND `user_pending`=0") or die(mysql_error());

All I did was add

Code:

AND `user_pending`=0"

to the MySQL query, and problem solved! How simple was that, and it took me under 2 minutes of looking in phpMyAdmin for the table that gave me the information.

Well, anyone who used this exploit was very very careful not to give it away. I hope this is one step further to stopping people from accessing the FTP's without the proper permissions.

Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.

Andy (Admin)

happy dude

Couldn't have been over a year, tried in Oct & Nov 2007, Andy, you had to allow me in manually...

Andy wrote:

Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.

By the sounds of it, he let himself in early.

Andy

happy dude wrote:

Couldn't have been over a year, tried in Oct & Nov 2007, Andy, you had to allow me in manually...

Andy wrote:

Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.

By the sounds of it, he let himself in early.

I don't remember that... Anyway its fixed.

The Distractor · **Post subject:** **Posted:** Wed Sep 24, 2008 1:44 pm

Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now.
I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private

)

Andy · **Post subject:** **Posted:** Wed Sep 24, 2008 1:50 pm

The Distractor wrote:

Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now.
I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private

)

They couldn't because it was a protected forum before, not a page I coded. Only since the servers page could people do it, and now they can't.

Bender · **Post subject:** **Posted:** Wed Sep 24, 2008 4:58 pm

Heh. I always wondered how that page was protected.

mdogg · **Post subject:** **Posted:** Wed Sep 24, 2008 10:52 pm

Well good that it's fixed now. You wouldn't want non-advanced members getting free access.

therock247uk · **Post subject:** **Posted:** Thu Sep 25, 2008 4:11 pm

I do suggest changing the password though the one I have still works from a week or so ago...

Doctor Mindvipe · **Post subject:** **Posted:** Wed Oct 01, 2008 1:51 pm

Hmm.... I believe I asked for access way before... I also believe I had to makea PM to Andy about gaining access....

though I can't remember properly

in any case, only other person who knows I'm even here, is my better/prettier half, and she has no interest in this site/forum whatsoever :lol

Not even to learn things about new versions of software that comes out

Computers are my doamin, she says, she only uses them

Huge FTP access bug fixed!!!

Who is online