I need a more secure dj panel

~~Moh~~ · 19-04-2008, 08:00 PM

Originally Posted by greggy23

Mod can close this,
I got new panel

!

What panel you using?

QuickScriptz · 20-04-2008, 12:17 AM

Originally Posted by DriftPanzy

Ever heard of session stealing? They publish the users password via a SESSION its like putting it on a file on your server and calling it index.html looooooool

Well I was about to start a big long rant about this until I saw these two posts below - just take a look at them, and yes the session that is being set contains the hashed password (I'm not stupid).

Originally Posted by NintendoNews

Drift, I think you're wrong about sessions being that easy to steal. The only reason that you could steal sessions from the Habbo site was that it had a vulnerability due to an XSS (Cross Site Scripting) issue. In general, you can't steal sessions, unless there is a browser exploit or some bad coding somewhere.

I recall that the problem with the Habbo website was that some input was loaded through a URL (GET) parameter and it wasn't filtered so things could be done. If you're interested in find out more, I suggets you read http://en.wikipedia.org/wiki/Session_hijacking and http://en.wikipedia.org/wiki/Cross-site_scripting.

Originally Posted by Dentafrice

Sessions are on the remote server, and can't be edited, there is nothing wrong with that piece of code.

As long as the password is a hash, and not plaintext, setting it for a session is alright, not the best practice in the world, but no harm done.

With Habbo, they were getting the user's session ID, setting it as their own, then it would recognize you.. as them..

Okay, now get ready for the [poop] to hit the fan....

Originally Posted by DriftPanzy

if($_SESSION['rp_logged'] == "TRUE") {
>> $username = $_SESSION['rp_username']; <<
$passwrd = $_SESSION['rp_passwrd'];
$rank = $_SESSION['rp_rank'];
$check = mysql_query("SELECT username, passwrd FROM rp_users WHERE username = ' >>> $username <<<'")or die(mysql_error());

I do I'm sorry if you don't I've had this problem in the past.

In order for this to be a flaw, the user would have to create a session called "rp_username" that contained the malicious code. Problem here is that sessions are all server side therefore the user has no real control over them.

So, on a closing note, if you have the latest security updates to the panel then there is absolutely nothing [that I know of or that anyone has told me of] that would make the panel vulnerable to be hacked three different times.

greggy23 · 20-04-2008, 03:30 PM

Originally Posted by Jack120

What panel you using?

Using Kristall

Thread: I need a more secure dj panel

Thread Tools

Posting Permissions