I need a more secure dj panel

=Collecting= · 19-04-2008, 12:23 PM

Wellanyways ned to either make this DJ panel safe or get a safer one? Ay reccomends?

Protege · 19-04-2008, 12:28 PM

Lots of people out there to make bigger and better panels.

timROGERS · 19-04-2008, 01:30 PM

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.

Dentafrice · 19-04-2008, 01:36 PM

Originally Posted by DriftPanzy

Oh god, how does it get hacked though? LOL, I just checked "check.php" it sets a SESSION for a password? No wonder its insecure, I think the whole thing needs re-thinking but no offense to the creator.

I just checked one source of it, and I think its insecure.

PHP Code:


$query = mysql_query("SELECT username,djname,passwrd,rank,email FROM rp_users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["rp_logged"] = TRUE;
$_SESSION["rp_username"] = $row['username'];
$_SESSION["rp_passwrd"] = $row['passwrd'];
$_SESSION["rp_djname"] = $row['djname'];
$_SESSION["rp_email"] = $row['email'];
$_SESSION["rp_rank"] = $row['rank'];

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..

Protege · 19-04-2008, 01:48 PM

One little exploit in his coding could get the server to set false sessions, seeing as his sessions are used against the database Id say thats extremely vulnerable.

PHP Code:


if($_SESSION['rp_logged'] == "TRUE") { 

$username = $_SESSION['rp_username']; 

$passwrd = $_SESSION['rp_passwrd']; 

$rank = $_SESSION['rp_rank']; 

$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = '$username'")or die(mysql_error());

Dentafrice · 19-04-2008, 01:51 PM

I don't see any exploits in that..

Protege · 19-04-2008, 01:54 PM

if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.

Dentafrice · 19-04-2008, 02:08 PM

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.

Protege · 19-04-2008, 02:32 PM

Originally Posted by Dentafrice

LOL, there is nothing wrong with that at all? Your just selecting something out of a database. I would rather use the ID instead of a username.

Yea but its going past one validation before it writes the new sessions?

I think that this system is easily exploitable by the right individual.

greggy23 · 19-04-2008, 07:53 PM

Mod can close this,
I got new panel

!

Thread: I need a more secure dj panel

Thread Tools

Posting Permissions