Snippet xBlubbs / Sapphire - Website Exploit Fix

Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up

zOmbie

Administrator
Administrator
Joined
Jun 7, 2024
Messages
1,108
Solutions
29
Reaction score
1,162
Points
113
So for the majority of the community out there using xBlubb's website and all of the scripts, there's an exploit that can be done using the login function. It's done by modifying the User-Agent header and then injecting code into the database.

There are two ways to patch this exploit.

1. Stop collecting the User-Agent data.
The proper way to do this would be to modify the LOG_LOGIN table and remove the "browser" field, then go into xinc_login and change the INSERT query to look like this:
Hey There!
Please login and(or) register to see this awesome content today.

2. Check the integrity of the data coming from User-Agent by running it through a filter and checking for key words like UPDATE, SHUTDOWN, DROP, INSERT, DELETE.
For my method, I used a function.

xinc_function.php
Hey There!
Please login and(or) register to see this awesome content today.

xinc_login.php Under
Hey There!
Please login and(or) register to see this awesome content today.

Add this:
Hey There!
Please login and(or) register to see this awesome content today.
 
  • Love
Reactions: H2oR