I need a more secure dj panel

Printable View

19-04-2008, 11:31 AM
greggy23

I need a more secure dj panel

Yeh, i use quickscriptz
But i need a more secure one.
Please help
19-04-2008, 11:47 AM
Protege

How secure can you be?
19-04-2008, 11:50 AM
Moh

I quite like Kristall-Panel RC2. I have edited it alot though, so its more secure.
19-04-2008, 11:50 AM
greggy23

the quickscriptz has been hacked 3 times
lol
19-04-2008, 11:52 AM
Moh

Quote:

Originally Posted by greggy23

the quickscriptz has been hacked 3 times
lol

I dont think its the panel, it will be your staff with passwords such as changeme.

We have made it so our passwords cant be changeme. And when a Radio Manager adds an account, there password is randomly generated. Best way to make it secure :D
19-04-2008, 11:53 AM
Protege

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.

Quote:

Originally Posted by Jack120

I dont think its the panel, it will be your staff with passwords such as changeme.

We have made it so our passwords cant be changeme. And when a Radio Manager adds an account, there password is randomly generated. Best way to make it secure :D

I just checked one source of it, and I think its insecure.

PHP Code:

$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $_SESSION["rp_logged"] = TRUE; $_SESSION["rp_username"] = $row['username']; $_SESSION["rp_passwrd"] = $row['passwrd']; $_SESSION["rp_djname"] = $row['djname']; $_SESSION["rp_email"] = $row['email']; $_SESSION["rp_rank"] = $row['rank'];
19-04-2008, 12:06 PM
=Collecting=

Quote:

Originally Posted by DriftPanzy

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.

I just checked one source of it, and I think its insecure.

PHP Code:

$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $_SESSION["rp_logged"] = TRUE; $_SESSION["rp_username"] = $row['username']; $_SESSION["rp_passwrd"] = $row['passwrd']; $_SESSION["rp_djname"] = $row['djname']; $_SESSION["rp_email"] = $row['email']; $_SESSION["rp_rank"] = $row['rank'];

So the panel can be hacked via that file?
19-04-2008, 12:07 PM
Protege

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool
19-04-2008, 12:09 PM
=Collecting=

Quote:

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Yeh but im just not sure exactly how it all works i mean i us cutenews but the person who hacked that didnt change anything he jus left a message saying delete search.php. I take it change.php with the dj panel works in the same way?
19-04-2008, 12:19 PM
Protege

I dont understand, maybe hes using a PHP exploit?
19-04-2008, 12:23 PM
=Collecting=

Wellanyways ned to either make this DJ panel safe or get a safer one? Ay reccomends?
19-04-2008, 12:28 PM
Protege

Lots of people out there to make bigger and better panels.
19-04-2008, 01:30 PM
timROGERS

Quote:

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.
19-04-2008, 01:36 PM
Dentafrice

Quote:

Originally Posted by DriftPanzy

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.

I just checked one source of it, and I think its insecure.

PHP Code:

$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $_SESSION["rp_logged"] = TRUE; $_SESSION["rp_username"] = $row['username']; $_SESSION["rp_passwrd"] = $row['passwrd']; $_SESSION["rp_djname"] = $row['djname']; $_SESSION["rp_email"] = $row['email']; $_SESSION["rp_rank"] = $row['rank'];

Quote:

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..
19-04-2008, 01:48 PM
Protege

One little exploit in his coding could get the server to set false sessions, seeing as his sessions are used against the database Id say thats extremely vulnerable.

PHP Code:

if($_SESSION['rp_logged'] == "TRUE") { $username = $_SESSION['rp_username']; $passwrd = $_SESSION['rp_passwrd']; $rank = $_SESSION['rp_rank']; $check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = '$username'")or die(mysql_error());
19-04-2008, 01:51 PM
Dentafrice

I don't see any exploits in that..
19-04-2008, 01:54 PM
Protege

if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.
19-04-2008, 02:08 PM
Dentafrice

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.
19-04-2008, 02:32 PM
Protege

Quote:

Originally Posted by Dentafrice

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.

Yea but its going past one validation before it writes the new sessions?

I think that this system is easily exploitable by the right individual.
19-04-2008, 07:53 PM
greggy23

Mod can close this,
I got new panel :D !
19-04-2008, 08:00 PM
Moh

Quote:

Originally Posted by greggy23

Mod can close this,
I got new panel :D !

What panel you using?
20-04-2008, 12:17 AM
QuickScriptz

Quote:

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Well I was about to start a big long rant about this until I saw these two posts below - just take a look at them, and yes the session that is being set contains the hashed password (I'm not stupid).

Quote:

Originally Posted by NintendoNews

Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.

Quote:

Originally Posted by Dentafrice

Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..

Okay, now get ready for the [poop] to hit the fan....

Quote:

Originally Posted by DriftPanzy

if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.

In order for this to be a flaw, the user would have to create a session called "rp_username" that contained the malicious code. Problem here is that sessions are all server side therefore the user has no real control over them.

So, on a closing note, if you have the latest security updates to the panel then there is absolutely nothing [that I know of or that anyone has told me of] that would make the panel vulnerable to be hacked three different times.
20-04-2008, 03:30 PM
greggy23

Quote:

Originally Posted by Jack120

What panel you using?

Using Kristall :)