phpUploader v2.1 - Opensource php based auto uploader

[somik]

Here are the Vulnerability report on Somik.org Server2Server transloader when used in improper way...

http://www.google.com/search?num=30&...=&oq=&gs_rfai=



This is why i released v2.0 with all the fix that you removed....

[Daniel]

erm.... I just checked deathbliss's scripts...

WARNING TO EVERYONE. THE SCRIPT deAthbLisS POSTED IS A SHELL SCRIPT. YOUR SERVER WILL BE HACKED AND ALL FILES BE DELETED AND YOUR PREMIUM ACCOUNTS HIJACKED.


Deathbliss, your post has been reported to moderators.

lolwut..

Is this why my hotfile account went from premium to free after i used the script?

Scary

[deAthbLisS]

nvm..
people knowing the things about transloader Vulnerability could have PM'd me

but this is what they should not do:
WARNING TO EVERYONE. THE SCRIPT deAthbLisS POSTED IS A SHELL SCRIPT. YOUR SERVER WILL BE HACKED AND ALL FILES BE DELETED AND YOUR PREMIUM ACCOUNTS HIJACKED.

[Halcyon]

I just checked the script, Somik was online and we were discussing about it. You removed the .htaccess file with Somik's script, and that's why it became "vulnerable".

You gotta test things before releasing them mate!

[somik]

lolwut..

Is this why my hotfile account went from premium to free after i used the script?

Scary

I am not sure but i do not think so. A hacker still needs to know the address you uploaded it to. I think it could be hotfile's limit that you crossed which made them cancel your premium account.

I have removed my "guess" from my post and kept it to facts only. The script manager.php is a shell script. The script direct.php is a script that can be used to transload a shell script to your host. I am the owner of "direct.php" and if you look in the source, i have given an option to password protect the script, which was ignored. In my readme file, its clearly stated that:

> Security issue fixed with transloader.
> Now you may set your own password for the script.

The security fix comes as a .htaccess file that directly downloads any files placed in the original "transloaded" folder. This way, shell scripts cannot be executed.

The password protect was there as an added security for those on windows server.

Deathbliss, next time you modify a script, read the readme file atleast. You could also have contacted me via PM or IM about it (like v3g3t4 did) before using my scripts in ways it wasn't meant to be used.

nvm..
people knowing the things about transloader Vulnerability could have PM'd me

if i pmed you and you were not online then all the people who downloaded the script would be at risk.

I have edited my post. I am sorry if i have offended you. My post was not directed towards you. I meant if a hacker knew about that, then they could do that.

Still, i am sorry for offending you.

[Lifetalk]

Alright guys. Enough of all of this. deAthbLisS has pulled all his versions.

Official releases tested/coded by me, somik, DeL, and l0calh0st (the new GUI) are (as of now) Vanilla and LeechMod.

Sandvik if there's something you liked in deAth's mod and it's not included in LeechMod, PM me and I'll add it.

[Daniel]

^ I guess I still can use deaths version if its ok for him

but anyway, it would've been great if you add that's renaming only or/and change md5 etc.. adding prefix and suffix..

[Lifetalk]

Sandvik, the only reason I removed prefix/suffix was that it made no point if you were specifying an entire new name for the files. I mean, all the files will be renamed anyway, so what's the point of adding a prefix and/or a suffix?

The MD5 change is default. It's not conditional in LeechMod. It changes the MD5 of every file regardless of whether you want it to, or not. I'll add that as a conditional parameter in my next update.

[Daniel]

^ Ah ok, but if you have a prefix/suffix you can just check the box and you don't need to copy the filename + typing your own url (lazy )

I'll let you know if i get any new ideas...

[Rapid S]

can u make an only rename feature ? not un-rar/re-rar... just rename..