- Joined
- Jun 7, 2024
- Messages
- 1,108
- Solutions
- 29
- Reaction score
- 1,162
- Points
- 113
So for the majority of the community out there using xBlubb's website and all of the scripts, there's an exploit that can be done using the login function. It's done by modifying the User-Agent header and then injecting code into the database.
There are two ways to patch this exploit.
1. Stop collecting the User-Agent data.
The proper way to do this would be to modify the LOG_LOGIN table and remove the "browser" field, then go into xinc_login and change the INSERT query to look like this:
2. Check the integrity of the data coming from User-Agent by running it through a filter and checking for key words like UPDATE, SHUTDOWN, DROP, INSERT, DELETE.
For my method, I used a function.
xinc_function.php
xinc_login.php Under
Add this:
There are two ways to patch this exploit.
1. Stop collecting the User-Agent data.
The proper way to do this would be to modify the LOG_LOGIN table and remove the "browser" field, then go into xinc_login and change the INSERT query to look like this:
2. Check the integrity of the data coming from User-Agent by running it through a filter and checking for key words like UPDATE, SHUTDOWN, DROP, INSERT, DELETE.
For my method, I used a function.
xinc_function.php
xinc_login.php Under
Add this: