Well I have noticed theres alot of people questioning about cutenews. I advise you NOT to use it, as there is now a script where you enter the username you wish to display the password (md5 hash). So if any staff members have a dictionary word as there password, there likely to get hacked.

Dont belive me?
Give me a link to your cutenews directory, and set up an account with a assword as a dictionary word (Or in the reverse md5 hash database).

Sounds interesting. MD5 thingy rings a bell from MySQL databases and phpAdmin. Anyways, ye.

Sounds interesting. MD5 thingy rings a bell from MySQL databases and phpAdmin. Anyways, ye.
Because cutenews is a text based database, you can easily extract infomation on the users as easy as you can display news from the news.txt

Or just change your password to a better one

Or just change your password to a better one
Its the staff though :'(

Who cares lol? It can easily be hidden in a directory unknown.

Who cares lol? It can easily be hidden in a directory unknown.
The attack uses $_COOKIE

What if your pw was antiestablishmentarianism? :8

What if your pw was antiestablishmentarianism? :8
Then the result would be 6547cd22b0e4de8a2d64dc6341cfd73c

But you wouldn't be able to get the password. That's what elliot means.

But you wouldn't be able to get the password. That's what elliot means.
Most of the news team are there just to post news, and may use dictionary words.

Well it doesn't really matter. It takes 2minutes to get the password and then you can forge the Cutenews session and mess up their site.

Well it doesn't really matter. It takes 2minutes to get the password and then you can forge the Cutenews session and mess up their site.
Whos site?
The person whos trying to get into the cutenews, or the targets?

The person that's trying to get into the Cutenews.

I've just tried the technique now and I'm in ClubHabbo's Cutenews panel :P
I've logged out now though as I'm nice :')



Good Evening SkaterChu

Some stats
System SelfCheck Active News (http://clubhabbo.net/news/index.php?mod=editnews&action=list) 115
Can write to news.txt Yes Postponed News (http://clubhabbo.net/news/index.php?mod=editnews&action=list&source=postponed) 0
Can write to postponed_news.txt Yes Unapproved News (http://clubhabbo.net/news/index.php?mod=editnews&action=list&source=unapproved) 0
Can write to unapproved news Yes Active Comments 1098
Can write to comments.txt Yes Archives (http://clubhabbo.net/news/index.php?mod=tools&action=archive) 0
Can write to users.db.php Yes Users (http://clubhabbo.net/news/index.php?mod=editusers&action=list) 1
Can write to archives dir Yes
aha

You are now logged out, login (http://clubhabbo.net/news/index.php):')

What if your pw was antiestablishmentarianism? :8
Well then he wouldnt even need to hack it because you just posted the password.

If uy have sence you would make you're pword summin like:
0fe9654f

How Do You do It?

To prevent people from using this script, remove search.php :p


There may be another way though :(

What is th point in this..

If people want to use cutenews, let them.

What is th point in this..

If people want to use cutenews, let them.
Reason:
http://habbcrazy.net/Demo/getusers.php

Will display all the users, so you know the usernames.
There should be 3 users listed. Use another code to get the md5 hash.

-------
Username: Test
Hash: http://habbcrazy.net/Demo/test1.php
-------
Username: Test2
Hash: :http://habbcrazy.net/Demo/test2.php
-------
Username: Test3
Hash: http://habbcrazy.net/Demo/test3.php
-------

You can then use them md5 hashes and reverse them:
http://gdataonline.com/seekhash.php

If you reverse the md5, you should now be able to login with one of them user names here:
http://habbcrazy.net/Demo

Edit: May not work is some 1 changes passwords.

Yeah worked, but still if people want to use cutenews just let them..

Yeah worked, but still if people want to use cutenews just let them..
But theres a risk of hacking.
Im not saying they can't use cutenews, im advising people not to.
Official fansites can lose there official status is some one posts porn or something.

Most official fansites are likely to use the publically available fix (patch) though arent they :rolleyes::P

Most official fansites are likely to use the publically available fix (patch) though arent they :rolleyes::P
Link me pls :)

http://cutephp.com/forum/index.php?showtopic=25900

That fixes most of the exploits.

Ah, we just removed search.php anyways xD No need for it.
http://cutephp.com/forum/index.php?showtopic=25900

Good find.

I am uninstalling it now ;o

Don't uninstall it, just remove search.php.

Why?
What can they get from search.php
I still dont get how they can do it but at least that means some others wont therefore fansites a bit safer

The exploit is through search.php so just remove it to stop the exploit from being used on your site.

Why not just contact cutenews so they can fix rather then post it on here..

Now everyone will uninstall it just so this doesnt happen to them, but honeslty how many people actually no that there is an exploit before you posted it on here?

cutenews dont develop it anymore..

I dont understand why they did it in text based databases in the start :l

I dont understand why they did it in text based databases in the start :l

Easier for beginners methinks, plus its more flexible. I'll do a bit of googling tonight to see if I can find something efficent for Habbo fansites to use. I'm sure I could dig something out, mind it could cost you but when you download free software, you can't expect the greatest results. :]

Easier for beginners methinks, plus its more flexible. I'll do a bit of googling tonight to see if I can find something efficent for Habbo fansites to use. I'm sure I could dig something out, mind it could cost you but when you download free software, you can't expect the greatest results. :]
Humm, I wounder if any one could change cutenews to mysql databases :p

Not everyone has mysql, and not everyone who does know how to use it and set up Dbs. There are 100s of news systems that use mysql out there, cutenew's popularty only came about becuse of its txt based design.

Or you could just make all of your staff members a generated one and make it so only admins can change passwords? (if you can do that)

Or you could just make all of your staff members a generated one and make it so only admins can change passwords? (if you can do that)
Remove the search.php helps.

Just with the text based database, if any other script is using ids, cutenews won't display full storys.

u are tellnig people how to hack it.

***, if you know something like that you dont tell everyone.

u are tellnig people how to hack it.

***, if you know something like that you dont tell everyone.

He is not telling people directly how to hack it, he is telling people some actions that are carried out so you can patch it up.

u are tellnig people how to hack it.

***, if you know something like that you dont tell everyone.
If I was telling people how to hack it, I would have given links out.
Im just telling people that it is hackable, and should be aware of this.

If I was telling people how to hack it, I would have given links out.
Im just telling people that it is hackable, and should be aware of this.

ok...

I got the impression, by people saying:

'Tried it, and it worked.'

ok...

I got the impression, by people saying:

'Tried it, and it worked.'
When did I say that?

Edit: Also don't revenge -rep. It shall just get removed.

When did I say that?

Edit: Also don't revenge -rep. It shall just get removed.

ill just get mine removed as well then, since mine was pointless.

lol my site got hacked by habbo goodies dont trust em LOL~!!! http://www.habbolegends.com/news