BetaArchive Logo
Navigation Home Screenshots Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 21d, 20h, 56m | CPU: 55% | MEM: 5883MB of 10564MB used
{The community for beta collectors}

Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 
Author Message
 PostPost subject: Huge FTP access bug fixed!!!        Posted: Wed Sep 24, 2008 12:07 pm 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12473

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
Hello all,

The member Mr. Bird Poo, just informed me of a nice bug thats been on the forum for over 1 year! Its now been fixed though, but let me explain.

Members have to go through the Advanced Members group join process. However due to a small bug in the code, a vital piece of checking was missed out. This meant that any member who asked to gain access, had access without me even accepting! Thats right, you simply joined up to the group and awaited my accept or deny but you had access anyway. The forums were protected, but the FTP servers page was not.

Code:
$query = mysql_query("SELECT * FROM `$usergroup_table` WHERE `group_id`='$group' AND  `user_id`='$user_id' AND `user_pending`=0") or die(mysql_error());


All I did was add

Code:
AND `user_pending`=0"


to the MySQL query, and problem solved! How simple was that, and it took me under 2 minutes of looking in phpMyAdmin for the table that gave me the information.

Well, anyone who used this exploit was very very careful not to give it away. I hope this is one step further to stopping people from accessing the FTP's without the proper permissions.

Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.

Andy (Admin)

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject: Re: Huge FTP access bug fixed!!!        Posted: Wed Sep 24, 2008 12:48 pm 
Donator
Offline

Joined
Fri Oct 26, 2007 5:12 pm

Posts
2461
Couldn't have been over a year, tried in Oct & Nov 2007, Andy, you had to allow me in manually...

Andy wrote:
Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.



By the sounds of it, he let himself in early. ;)


Top  Profile
 PostPost subject: Re: Huge FTP access bug fixed!!!        Posted: Wed Sep 24, 2008 12:50 pm 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12473

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
happy dude wrote:
Couldn't have been over a year, tried in Oct & Nov 2007, Andy, you had to allow me in manually...

Andy wrote:
Many thanks to Mr. Bird Poo for this. As a reward, I've allowed him into the Advanced Members group early.



By the sounds of it, he let himself in early. ;)


I don't remember that... Anyway its fixed.

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject:        Posted: Wed Sep 24, 2008 1:44 pm 
Donator
User avatar
Offline

Joined
Sat Oct 07, 2006 12:04 pm

Posts
2797

Favourite OS
Anything checked :P
Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now.
I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private :P)

_________________
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

Glitch City Laboratories ForumsSoftHistory Forumsirc.rol.im #softhistory,#galaxy

If you like my posts, donate me Dogecoin: DLnZV8DS3CaZmLKAVxL2aMijY2vUZeyjBi


Top  Profile
 PostPost subject:        Posted: Wed Sep 24, 2008 1:50 pm 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12473

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
The Distractor wrote:
Anyone could have done it between when the servers.php (or whatever filename it is) was introduced and now.
I wonder if anyone used it! (And yes, those who discovered it managed to keep it nice and private :P)


They couldn't because it was a protected forum before, not a page I coded. Only since the servers page could people do it, and now they can't.

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject:        Posted: Wed Sep 24, 2008 4:58 pm 
Donator
User avatar
Offline

Joined
Fri Aug 18, 2006 4:30 pm

Posts
1524

Favourite OS
Mac OS 9.2.2
Heh. I always wondered how that page was protected.

_________________
Image
Mozilla/5.0 (Macintosh; U; PPC; en-US; mimic; rv:9.3.2) Clecko/20120101 Classilla/CFM
"Stupid can opener! You killed my father, and now you've come back for me!"


Top  Profile
 PostPost subject:        Posted: Wed Sep 24, 2008 10:52 pm 
Donator
User avatar
Offline

Joined
Fri May 18, 2007 9:39 am

Posts
953

Location
My house
Well good that it's fixed now. You wouldn't want non-advanced members getting free access.

_________________
Image


Top  Profile
 PostPost subject:        Posted: Thu Sep 25, 2008 4:11 pm 
Donator
Offline

Joined
Sun Feb 11, 2007 4:48 pm

Posts
148

Location
UK
I do suggest changing the password though the one I have still works from a week or so ago...


Top  Profile  WWW  YIM
 PostPost subject:        Posted: Wed Oct 01, 2008 1:51 pm 
Donator
Offline

Joined
Wed Aug 22, 2007 8:42 am

Posts
173

Location
Manchester, UK

Favourite OS
AmigaOS3.9
Hmm.... I believe I asked for access way before... I also believe I had to makea PM to Andy about gaining access....

though I can't remember properly :P

in any case, only other person who knows I'm even here, is my better/prettier half, and she has no interest in this site/forum whatsoever :lol

Not even to learn things about new versions of software that comes out

Computers are my doamin, she says, she only uses them :P


Top  Profile
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 




Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2018

 

Sitemap | XML | RSS