Bravo List
Register
Go Back   > Bravo List > Source Code > Archived Trackers > YSE
Closed Thread
  #1  
Old 27th June 2009, 16:59
Ashur's Avatar
Ashur Ashur is offline
Senior Member
 
Join Date: Jun 2008
Posts: 523
Default YSE v2.0 PRE6
yep just went on the YSE site and found there is
YSE v2.0 (18.05.07) Pre 6 RC 0 (update 13.07.09)


Translated with GOOGLE:
Quote:
Well

FILES only for those people who have sign up for an account and those who activate your account BY MAIL!

26.04.09
Delete files + fix security forum.
Wait footprint. update - deletion of integration with the forum.

09.07.09
Fixed bug associated with ban ip and its conversion to 127.255.255.255

13.07.09
A little edit, a partial de-integration of the forum, minor edits.
maybe this is not significant but just letting you know :D

cheers
Attached Files
File Type: zip TBDev.18.05.07_pre_fixed.zip (1.57 MB, 268 views)
__________________
Say NO to private tracking
Running TorrentHoster 2.5 on IraqiGate.org

Last edited by Ashur; 31st October 2009 at 00:38. Reason: Update!
The Following 2 Users Say Thank You to Ashur For This Useful Post:
al-jodtv (22nd August 2009), Fynnon (27th June 2009)
  #2  
Old 27th June 2009, 19:15
kp380lv's Avatar
kp380lv kp380lv is offline
Senior Member
 
Join Date: May 2008
Latvia
Posts: 388
Default
There is still many security holes in this updated version...
  #3  
Old 20th July 2009, 17:26
Gerxx13's Avatar
Gerxx13 Gerxx13 is offline
Member
 
Join Date: Apr 2009
P2P
Posts: 8
Default
This version is in Russian or English ?
EDIT:
In Russian ,No thanks :D
  #4  
Old 27th July 2009, 15:05
AlaminT's Avatar
AlaminT AlaminT is offline
YS
 
Join Date: Jul 2008
Ukraine
Posts: 39
Default
Quote:
Originally Posted by kp380lv View Post
There is still many security holes in this updated version...
i think that you have a little bit prejudicial view ;)

HAVE you REALY checked? :) if so - post the bugs, and they will be fixed

to TS: TBDev v2.0 (18.05.07) Pre 6 RC 0 (update 13.07.09) :P
  #5  
Old 27th July 2009, 18:16
kp380lv's Avatar
kp380lv kp380lv is offline
Senior Member
 
Join Date: May 2008
Latvia
Posts: 388
Exclamation lol
AlaminT

Ok you say that this version is very safe!? No you know the truth there is still holes - why you just don't fix them if you are so smart?

Holes and security vulnerabilities:

news.php
details.php
modtask.php
userdetails.php and so i can continue....also other files has holes or security vulnerabilities... I post only few file names where is the problems but however i say that there are still security problems...

Last edited by kp380lv; 27th July 2009 at 18:17. Reason: update
  #6  
Old 29th July 2009, 10:10
AlaminT's Avatar
AlaminT AlaminT is offline
YS
 
Join Date: Jul 2008
Ukraine
Posts: 39
Default
oh, details? realy?

news - you mean xss in title or returnto? :)
modtask
userdetails

i think ehat you are posting is not a holes, post, please, go on post...
__________________
Yes, I am Yuna.

Don't ask questions, go straight for my forum!
  #7  
Old 29th July 2009, 13:56
kp380lv's Avatar
kp380lv kp380lv is offline
Senior Member
 
Join Date: May 2008
Latvia
Posts: 388
Lightbulb
AlaminT

news.php

Code:
$body = $_POST["body"];
should be:

Code:
$body = htmlspecialchars($_POST["body"],ENT_QUOTES);
I hope you understand what about i'm talking..
  #8  
Old 29th July 2009, 22:07
AlaminT's Avatar
AlaminT AlaminT is offline
YS
 
Join Date: Jul 2008
Ukraine
Posts: 39
Default
useless:

block-news.php:

Code:
format_comment($array['body'])
why?

PHP Code:
function format_comment($text$strip_html true) {

    if (
$strip_html)
        
$s htmlspecialchars_uni($s); 
so there is NO VULNERABILITY, and your "fix" will only "break" thing like "&" in text will become as "&" e.g you write "Command & Conquer 3" in the news, and it insted writes out "Command & Conquer 3"
__________________
Yes, I am Yuna.

Don't ask questions, go straight for my forum!
  #9  
Old 30th July 2009, 10:53
kp380lv's Avatar
kp380lv kp380lv is offline
Senior Member
 
Join Date: May 2008
Latvia
Posts: 388
Default
Are you sure?

details.php

PHP Code:
$id $_GET["id"]; 
should be:

PHP Code:
$id = (int) $_GET["id"]; 
So there is security vulnerabilities...

Or better change this to:

PHP Code:
if (!is_valid_id($_GET['id']))             stderr($tracker_lang['error'], $tracker_lang['invalid_id']);
$id = (int) $_GET["id"]; 
  #10  
Old 30th July 2009, 12:01
Bigjoos's Avatar
Bigjoos Bigjoos is offline
U-232 Dev
 
Join Date: May 2008
United Kingdom
Posts: 244
Lightbulb
kp380lv i thought you would have picked up on this after we told you on Tbdev about the exact same stuff - The body you post about is under format_comment like said so learn to look deeper at code.

You say

0 + should be (int) ? - Again i dont agree there as they both do pretty much the same job :)

Again your pushing an issue thats going to bite you in the arse - Go back to a test code and start learning - Funny thing is all these so called exploits .. i'd like to see the people that claim theres an exploit actually craft one and do damage - 90 % of it is all talk.

Last edited by Bigjoos; 30th July 2009 at 12:46.
Closed Thread

Tags
pre6 , v20 , yse , yuna scatari pre6

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
YSE PRE6 - Modded by kp380lv kp380lv YSE 75 6th September 2014 19:33
YSE v2.1.5 PRE6 kp380lv YSE 2 1st November 2009 06:46
YSE v2.1.3 PRE6 Ashur YSE 7 8th October 2009 22:41
YSE v2.0 PRE6 Fynnon YSE 19 20th July 2009 17:24
Need YSE PRE6 cache mod kp380lv YSE 1 25th December 2008 20:38



All times are GMT +2. The time now is 13:23. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2020, vBulletin Solutions Inc.