DDLCMS question?

[DEViANCE]

Anybody not using php 5 is crazy.. infact anyone still using php4 is very crazy...

But yes i klnow you have your own ddl script, i was more refering to the pthers but a bit of advice here and there from somebody with experience never hurts.

I personally intend to use this for a while and make a few mods, so i am all up for helping in anyway i can as it will benefit me too. I have already made a couple of small mods, one seriously improves performace. Just need to find a skinner and i am set.

[William Palmer]

Well darn

Ok @ deviance on some servers i have it compiled with php4 + php5 and enhanced the security on both of them

The reason as to why i think it is blocking it is because of mycrypt i dont fully understand it yet but by the looks of it it looks like its checking bytes by 29 and 36 or 30 if you run a script and it doesnt compare to those it does not execute

by using ../../../../ it will block it but if we encode you can try and use

%20/% followed by the /etc/passwd


Thats just a theory if we take a look at how the transversial is even executing we can look here

If we tried to inject this code onto ?wwwRoot it would not work why? beacuse wwwRoot is basically a addon to the variables to config.php killthread.php and basedir so if executing a load o f include functions of config / killthread was not found

But in the variable baseDir it connects all the variables together making it the big guy

Code: 

$baseDir = substr($wwwRoot, 0, ##BASEDIR##);
    require($baseDir . 'funcs.inc');
    require($baseDir . 'config.php');

Any other ideas can be great i will be testing this script for javascript injection and other stuff later on today

[Little Dragon]

Keep in mind, you are all testing the first release of this script, which was appropriately called a "beta" release.

Also, my reply states, and I quote again

Code: 

"This exploit for misconfigured servers 
has been removed in the latest release of this script."

so I admitted that the script indeed had an exploit for misconfigured servers, but was already addressed prior to this post, and fixed. Why then, JmZ, do you keep harping about it? Go away man, seriously.

I love it when I get quoted so many times.

I love quoting you JmZ because you only make yourself out to look like a damn fool with each reply, and, it re-iterates your lack of respect, lack of dignity, and especially your shameless arrogance, as pointed out by this last quote. I'm sure you will reply again, this time with love and respect and genuine heart-felt assistance (yeah right)... hey JmZ, do me a favour again and hover your mouse cursor over this smiley

[Dman]

Good work on fixing exploit

[JmZ]

I'm simply pointing out facts, it is you who tries to turn it personal (and doesn't succeed, ever).

Maybe one day you should listen to my posts and notice that it really does contain quite a few exploits. If you understand that and recognise it as a fact, you can have your coder(s) check the code.

[Little Dragon]

I'm simply pointing out facts, it is you who tries to turn it personal (and doesn't succeed, ever).

Maybe one day you should listen to my posts and notice that it really does contain quite a few exploits. If you understand that and recognise it as a fact, you can have your coder(s) check the code.

Here, let me repeat myself the third time, and perhaps I should use the big, colour coded letters, because it seems you keep missing it.

Code: 

Keep in mind, you are all testing the first release of 
this script, which was appropriately called a "beta" 
release.
 
Also, my reply states, and I quote again
 
Code:
"This exploit for misconfigured servers has been removed 
in the latest release of this script."
so I admitted that the script indeed had an exploit for 
misconfigured servers, but was already addressed prior to 
this post, and fixed. Why then, JmZ, do you keep harping 
about it? Go away man, seriously.

Hey JmZ, here's an idea, bring it up again, how the first release has exploits and harp your ass off about it all over again, I'm sure you planned on it as usual. Hey Jmz do me a favour again and hover your mouse cursor over this smiley

[JmZ]

Yes I see, it's a beta. But is it not true that the reason in having a beta is to fix bugs and vulnerabilities? Yet you seem to completely ignore my "tips" to you.

[Crucify]

both of you should partner up

[JmZ]

Well he's not the coder so that wouldn't be very useful lol.

Anyway, I made my point, he can take the hint or not. All im saying is the script contains exploits. Yes it's a beta but the point in that is to learn where the vulns are, so go do that.

[Little Dragon]

Well he's not the coder so that wouldn't be very useful lol.

Anyway, I made my point, he can take the hint or not. All im saying is the script contains exploits. Yes it's a beta but the point in that is to learn where the vulns are, so go do that.

Yes I see, it's a beta. But is it not true that the reason in having a beta is to fix bugs and vulnerabilities? Yet you seem to completely ignore my "tips" to you.

God damn. How many times are you going to keep bringing up the same stupid crap. What an idiot. Get this through you thick, ignorant skull:

The exploit in the beta version has been addressed and fixed, prior to the report, so there is no vulnerability or exploit in the new release.

I made the letters big enough, JmZ, because you didn't catch it the first 5 times I REPEATED myself, so maybe this time, you will see it and read it and comprehend it (somehow, I doubt it though).