Bravo List
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Bravo List (http://www.bvlist.com/index.php)
-   Yuna Scatari Edition (YSE) (http://www.bvlist.com/forumdisplay.php?f=22)
-   -   YSE v2.0 PRE6 (http://www.bvlist.com/showthread.php?t=2886)

BoLaMN 30th July 2009 12:38
Dont Mind Him!
 
dont mind kp380lv he will release his Nehalem and everyone will complain about bugs in that lol..

Hey AlaminT are u still working on pre7 or is it dead code to you?
would love to see if i can help at any stage.

Regards BoLaMN

kp380lv 30th July 2009 19:58
lol
 
BoLaMN

You don't know NOTHING about Nehalem...so keep your mouth...*****.

Bigjoos no offence but you ask questions like kid..in my opinion safer is better and thats all..

In simpaty.php is XSS..

PHP Code:
$type $_GET['type']; 
better..

PHP Code:
$type htmlentities($_GET['type']); 
users.php
PHP Code:
$search trim($_GET['search']); 
better should be..

PHP Code:
$search htmlentities(trim($_GET['search'])); 
XSS possibility having moderator rights...so it's NOT safe source CODE!


UPDATE:

message.php

PHP Code:
$from_is unesc($_POST['pmees']); 
should change to:

PHP Code:
$from_is mysql_real_escape_string(unesc($_POST['pmees'])); 
This also in message.php

PHP Code:
$n_pms $_POST['n_pms'];
$comment $_POST['comment']; 
Change to:

PHP Code:

$n_pms = (int) $_POST['n_pms'];
$comment = (string) $_POST['comment']; 
XSS + SQL injection...

AlaminT 30th July 2009 20:52
agree - 0 + ... vs (int) = nothing cos those path expousure - is shitty just talk, NOTHING serious

USERS.PHP

print("Поиск: htmlspecialchars($search)."\">\n");

YOU ARE BLIND

simpaty.php, message.php

yes, agree

kp380lv 30th July 2009 20:54
AlaminT

Lol then print vs echo also "has no difference":D

AlaminT 30th July 2009 21:18
practicaly - no difference, except print is a function and returns TRUE, and echo params like works faster than

kp380lv 30th July 2009 21:53
AlaminT - So please include theese updates into next version..

AlaminT 30th July 2009 22:12
if i will not forget...

kp380lv 10th August 2009 10:21
Also don't forget this fix in testport.php in next YSE version - There is a XSS

PHP Code:
$port $_POST["port"];
   else
      $port $_GET['port']; 
replace with this..

PHP Code:
$port = (int)$_POST["port"];
   else
      $port = (int)$_GET['port']; 

Moh.ElBaz 11th September 2009 17:25
That's great kp380lv

I think we can be away from disputes and to take it as a discussion to know holes and bugs and fix it.


All times are GMT +2. The time now is 16:31.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.