Apr. 25th, 2006

Stupid migraine... Bleh... Sleep...

If it can be sunny tomorrow, i'm not staying home. I think i need fresh air.
Hm... what a fun way to start a day. Find out that someone has found an exploit in phpMyChat, and that it got used on my chatroom.

At least, i managed to find a quick solution. The bug involves how eval() is used for welcome messages. They found a way to login as SYS enter, which is the entrance notification thing. Every line sent by a SYS user is run, so they could just use this to run things using system() in PHP, since it was eval()ed.

I made a quick fix. An ugly one, but it should work for now.

if (stristr($Message, "sprintf") AND !stristr($Message, "system"))
{
eval("\$Message = $Message;");
}

So now the message has to contain a sprintf, and not contain system. Which should fix the problem until i want to spend more time on it, unless they somehow decide to spend more time messing with my chatroom in particular. Which i really doubt.

Profile

pyxaron

July 2011

S M T W T F S
     12
3456789
101112131415 16
17181920212223
24252627282930
31      

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 9th, 2025 01:33 am
Powered by Dreamwidth Studios