TBDev Tobbies Edition

[autotron]

you also need to enter your user ID a few lines lower here

Code:

if(get_user_class() >= UC_MODERATOR){
   $adminids = array(8,9,xx);    // put your admins id in here like this (1,1553,956,12414)

[wMan]

take maxsysops out

[HIENA]

not work same massage

Code:

function maxsysop () {
global $CURUSER;
$lmaxsysop = 4; // How many sysop account on your website?
$lmaxclass  = 6; // Max. Class, e.g: mine is: define ("UC_SYSOP", 8);
$lsysopnames = array("HIENA"); // Case sensitive.
$query = mysql_query("SELECT COUNT(id) AS total FROM users WHERE class >= $lmaxclass")  or sqlerr(__FILE__, __LINE__); // get total sysops
list($info['maxsysop']) = mysql_fetch_row($query); // list

if ($info['maxsysop'] > $lmaxsysop)
    if ($CURUSER['class'] >= $lmaxclass)
      if (!in_array($CURUSER["username"], $lsysopnames)){
      write_log(htmlstrip($CURUSER['username'])." changed themselves to class ".htmlstrip($CURUSER['class']).". Current page: $_SERVER[PHP_SELF], previous page: $_SERVER[HTTP_REFERER]");
       mysql_query("UPDATE users set enabled='no' WHERE id=$CURUSER[id]");
      $msg="Fake Account Detected: Username: ."]".$CURUSER["username"]." - UserID: ".$CURUSER["id"]." - UserIP : ".getip();
      $subject="Fake account detected, greater than SysOp!";
      mysql_query("INSERT INTO messages (poster, sender, receiver, added, msg, subject) VALUES(0, 0, 1, '" . get_date_time() . "', " .sqlesc($msg) . ", ".sqlesc($subject).")") or sqlerr(__FILE__, __LINE__);
        stderr("Locked!","We come to believe you are using a fake account, therefore we've logged this action, and disabled your account!"); // die
        }
if(get_user_class() >= UC_MODERATOR){
   $adminids = array(5,x,xx);    // put your admins id in here like this (HIENA)
   if (!in_array($CURUSER['id'], $adminids)){

Fatal error: Call to undefined function htmlstrip() in C:\xampp\htdocs\include\bittorrent.php on line 191

[djlee]

ok im bored of bad sources lol .. its simple

1. change all htmlstrip functions to htmlspecialchars (or dont bother with um altogether as your only writting to a log)

2. if you cant be arsed changing them use the htmlstrip function posted earlier by a user whom i forgot his name.

3. THIS IS NOT A SECURITY PRECAUTION... what is really is if anything is a security problem.. by outputting the error your giving the script kiddie simple and easy to find information on the http web serving path of the server. From that the script kiddie can then hazzard a guess at your op system AND the path to everything within your server. most of you probably use the default http serving path setup by the http web server... this is usually determined by either the cpanel used to manage the sites on the server or in some cases on the operating system on the server (and its file system layout)... So by giving the undefined function error your simply giving the hacker more info to use against you

4. Another thing is this isn't no more of a security precaution as removing the writelog function completely.. the whole idea of the write_log thats there is to notify you of privilege escalation.. if the undefined function kills the php execution this means the writelog is never performed AND you dont get any info apart from knowing your site is dead due to a hacker .. no user id, no username.. no IP at hand so u better search the sql for that info cause it wont be in any log

the coder has tried to provide a secure code but has unfortunately failed to do so. Im not trying to be mean or nasty but if everyone were releasing unstanble code thered be a lot of unhappy people around spamming communities like ourselves.

I felt this needed to be posted in this manner to let you all know how unsecure this code is .. covering up a mess up with a security precaution idea is not good enough and it will cause major problems in the long run

i would suggest to tobbie to fix this error and r-check all his code .. there is a great xss and sql precaution thread on the tbdev forums that will help you find some of the more common errors and many code fixes posted in the mods section. If you can fix up the source and repost a better vesion im sure your source will receive a lot better reputation and i wish you all the best :)

gd luck and please make sure you rectify this main problem before people forget about your source and your hard work and time goes to waste

[pablozl]

thanks

[voicu]

Parse error: syntax error, unexpected $end in C:\xampp\htdocs\include\bittorrent.php on line 1514

[Hasztex]

Hello!
This works really good actually. There's just one thing. All the users has the IP "127.0.0.1 (localhost)" And I can upload torrents. And I can seed them. But in uTorrent 1.8 it is red and it doesn't seed on the tracker. But the torrent is there but invisible (dead)

Any fix for this?

[Robz]

Hi! Great modded version of TBDev, rly appriciate it!

BUT when i upload a torrent to my tracker, i get an error message and i cant connect to the tracker in azureus.

I get this:

Connection Error (invalid reply: <br />
<b>Fatal Error:</b> Unknown function: getallheaders () in blablabla

Any idea on how to fix this? I tried to remove that function, but then it complains about that there is no such function as maxsysops in the same file announce.php.




Please help me here :)

[DocSnYder]

thx for that, im just giving it a try on my space ;)

[LANDSER]

Quote:

Originally Posted by HIENA

not work same massage

Code:

function maxsysop () {
global $CURUSER;
$lmaxsysop = 4; // How many sysop account on your website?
$lmaxclass  = 6; // Max. Class, e.g: mine is: define ("UC_SYSOP", 8);
$lsysopnames = array("HIENA"); // Case sensitive.
$query = mysql_query("SELECT COUNT(id) AS total FROM users WHERE class >= $lmaxclass")  or sqlerr(__FILE__, __LINE__); // get total sysops
list($info['maxsysop']) = mysql_fetch_row($query); // list

if ($info['maxsysop'] > $lmaxsysop)
    if ($CURUSER['class'] >= $lmaxclass)
      if (!in_array($CURUSER["username"], $lsysopnames)){
      write_log(htmlstrip($CURUSER['username'])." changed themselves to class ".htmlstrip($CURUSER['class']).". Current page: $_SERVER[PHP_SELF], previous page: $_SERVER[HTTP_REFERER]");
       mysql_query("UPDATE users set enabled='no' WHERE id=$CURUSER[id]");
      $msg="Fake Account Detected: Username: ."]".$CURUSER["username"]." - UserID: ".$CURUSER["id"]." - UserIP : ".getip();
      $subject="Fake account detected, greater than SysOp!";
      mysql_query("INSERT INTO messages (poster, sender, receiver, added, msg, subject) VALUES(0, 0, 1, '" . get_date_time() . "', " .sqlesc($msg) . ", ".sqlesc($subject).")") or sqlerr(__FILE__, __LINE__);
        stderr("Locked!","We come to believe you are using a fake account, therefore we've logged this action, and disabled your account!"); // die
        }
if(get_user_class() >= UC_MODERATOR){
   $adminids = array(5,x,xx);    // put your admins id in here like this (HIENA)
   if (!in_array($CURUSER['id'], $adminids)){

Fatal error: Call to undefined function htmlstrip() in C:\xampp\htdocs\include\bittorrent.php on line 191

Code:

function maxsysop () {
global $CURUSER;
$lmaxsysop = 4; // How many sysop account on your website?
$lmaxclass  = 6; // Max. Class, e.g: mine is: define ("UC_SYSOP", 8);
$lsysopnames = array("HIENA"); // Case sensitive.
$query = mysql_query("SELECT COUNT(id) AS total FROM users WHERE class >= $lmaxclass")  or sqlerr(__FILE__, __LINE__); // get total sysops
list($info['maxsysop']) = mysql_fetch_row($query); // list

if ($info['maxsysop'] > $lmaxsysop)
    if ($CURUSER['class'] >= $lmaxclass)
      if (!in_array($CURUSER["username"], $lsysopnames)){
      write_log(htmlstrip($CURUSER['username'])." changed themselves to class ".htmlstrip($CURUSER['class']).". Current page: $_SERVER[PHP_SELF], previous page: $_SERVER[HTTP_REFERER]");
       mysql_query("UPDATE users set enabled='no' WHERE id=$CURUSER[id]");
      $msg="Fake Account Detected: Username: ."]".$CURUSER["username"]." - UserID: ".$CURUSER["id"]." - UserIP : ".getip();
      $subject="Fake account detected, greater than SysOp!";
      mysql_query("INSERT INTO messages (poster, sender, receiver, added, msg, subject) VALUES(0, 0, 1, '" . get_date_time() . "', " .sqlesc($msg) . ", ".sqlesc($subject).")") or sqlerr(__FILE__, __LINE__);
        stderr("Locked!","We come to believe you are using a fake account, therefore we've logged this action, and disabled your account!"); // die
        }
if(get_user_class() >= UC_MODERATOR){
   $adminids = array(HIENA);    // put your admins id in here like this (HIENA)
   if (!in_array($CURUSER['id'], $adminids)){

ps: is some one to do to work this surce?(sory for my enghlis)
I do this:
"12. In bittorrent.php at line 189 add user ids and on line 174 add all sysop name on the site.
!if you dont edit this you will get the error on the line under at almost every page!
Fatal error: Call to undefined function htmlstrip() in C:\xampp\htdocs\include\bittorrent.php on line 191"
i have this eror:
Fatal error: Call to undefined function htmlstrip() in C:\xampp\htdocs\include\bittorrent.php on line 191
Reply With Quote