Join xbtit!   Home   Forum   BtiTracker @ SF.net   Documentation   Demo Tracker   Btiteam's Toolbar  
May 19, 2013, 08:58:34 PM *
   Home   Help Login Register  
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
Pages: 1 [2]   Go Down
« previous next »
Print
Author Topic: *** New Release - IMPORTANT FIXES ***  (Read 4845 times)
0 Members and 1 Guest are viewing this topic.
Xpeople
Guest
« Reply #15 on: May 21, 2007, 12:02:12 PM »
What about 1.3.2 BTIT ?
Logged
MarbolanGos
Guest
« Reply #16 on: May 21, 2007, 01:09:19 PM »
Quote from: Xpeople on May 21, 2007, 12:02:12 PM
What about 1.3.2 BTIT ?

It's outdated, you should upgrade completly your btit tracker, I think.
Logged
monosgeri
Hero Member
*****
Offline Offline

Gender: Male
Btit Version: BtiTracker 1.4x
Posts: 682



View Profile
« Reply #17 on: May 21, 2007, 02:36:43 PM »
Lupin, you should change the
Code:
12/04/2007: Btitracker 1.4.1 is released, go to download section.  ;)
to
Code:
20/05/2007: Btitracker 1.4.2 is released, go to download section.  ;)
Logged
if(!$drunk)
$beer++;
(http://dvd-plaza.org)
lady
Guest
« Reply #18 on: May 22, 2007, 02:39:01 PM »
thanks for this done and no erors
Logged
ryanwestman
Guest
« Reply #19 on: May 25, 2007, 10:25:13 PM »
My site got hit with this exploit, 2 users were escalated and in addition the language file was modded. File systems permissions take care of the language file - and I changed all 1.3.2. code to implement the fix, but I have limited PHP knowledge so I'm not 100% sure I got it.

The source addr of the site that ran the code against mine - is oddly enough another BTIT site: http://torrent-bg.org/ (http://torrent-bg.org/) - I'm guessing the admin of this site is the one that came up with the exploit. If you check your qmail headers you should see something like this:

Received: (qmail 14253 invoked by uid 1009); 25 May 2007 23:03:01 +0300 - IP Addr of 82.103.99.9 (Lupin maybe you can check your email headers if this is how you were notified, I sent a bad message to get a bounce to retrieve this info).

I emailed the site operator asking him for exploit code and to retest the hack after my changes - whether or not they will reply remains to be seen. If I can prove the fixes I made for 1.3.2, I will post the updated files here.

If anyone has exploit code - msg me or reply to this thread so we can share/test the fixes made for 1.3.2.
Logged
gAnDo
Guest
« Reply #20 on: May 27, 2007, 10:57:03 AM »
The exploit has always been there!
Upgrade your account_change.php asap.
It hasnt changed from previous versions so will not mess up your site.
Logged
canyin
Guest
« Reply #21 on: May 27, 2007, 03:32:56 PM »
The same IP 82.103.99.9 hit my site also.I'm running 1.32.I took account_change.php from 1.43 and replace it. It can't be hacked anymore Smiley
Logged
locutius
Guest
« Reply #22 on: June 03, 2007, 10:00:38 PM »
my sites also got hit. they played around with the tracker settings but could have done much much worse

WARNING: change the MySQL password which is displayed in your tracker settings

i have blindly followed gAnDo's suggestion and replaced account_change.php with the latest version from 1.4.3 ... i hope this will fix the exploit, thanks m8
Logged
Pages: 1 [2]   Go Up
Print
Btiteam Forum  BTITeam  [BTITeam] Comunications  Topic: *** New Release - IMPORTANT FIXES ***
 « previous next »
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
xBtit_Default by: TreetopClimber © 2006,2007 | Back To Top 		Valid XHTML 1.0! Valid CSS!

Recommended: Wholesale Computers - dresses - Wow Gold - Auto Diagnostic Tool
Online shopping at tmart.com and Worldwide Free Shipping - Get great dresses deals at dressale.com
your link here, contact lupin @ btiteam.org for more info

MKPortal ©2003-2006 mkportal.it