Re: Imagevote script problems
From: Chern Ann (member44721_at_dbforums.com)
Date: 10/25/03
- Next message: Kman: "Why hiring a php coder is better than buying a shopping cart program?"
- Previous message: GP: "free PHP script like http://scriptlance.com"
- Maybe in reply to: Chern Ann: "Re: Imagevote script problems"
- Next in thread: Baron: "Re: Imagevote script problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 24 Oct 2003 23:55:05 -0400
Actually, I was the one who wrote the complaints. Imagevote by default
was very unsecure, the authentication was ridiculous, ie, after you
login, your username is stored as a cookie UNENCRYPTED, and all
authentication requests are just validated against the username (not
even a password).
So armed with a member list and a cookie writer, you could theoretically
go and play with anybody's account.
Some previous versions of the admin page had the same problem.
It wasn't a big deal ripping out the unsecure code and replacing it with
php4's native session management. Unfortunately, RJ never got round to
fixing it even AFTER I posted this heinous security hole and released
version 2.0 without the fix.
Looks like the guy's done a complete runner. I also wrote about how
suspicious his subscription plan was, and mysteriously had my IP
address blocked from the forums (nothing that an overseas http proxy
couldn't solve).
-- Posted via http://dbforums.com
- Next message: Kman: "Why hiring a php coder is better than buying a shopping cart program?"
- Previous message: GP: "free PHP script like http://scriptlance.com"
- Maybe in reply to: Chern Ann: "Re: Imagevote script problems"
- Next in thread: Baron: "Re: Imagevote script problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
