Author Topic: *** New Release - IMPORTANT FIXES ***  (Read 8478 times)

Xpeople

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #15 on: May 21, 2007, 12:02:12 PM »
What about 1.3.2 BTIT ?

MarbolanGos

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #16 on: May 21, 2007, 01:09:19 PM »
What about 1.3.2 BTIT ?

It's outdated, you should upgrade completly your btit tracker, I think.

Offline monosgeri

  • Hero Member
  • *****
  • Posts: 682
Re: *** New Release - IMPORTANT FIXES ***
« Reply #17 on: May 21, 2007, 02:36:43 PM »
Lupin, you should change the
Code: [Select]
12/04/2007: Btitracker 1.4.1 is released, go to download section.  ;) to
Code: [Select]
20/05/2007: Btitracker 1.4.2 is released, go to download section.  ;)
if(!$drunk)
$beer
++;

(http://dvd-plaza.org)

lady

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #18 on: May 22, 2007, 02:39:01 PM »
thanks for this done and no erors

ryanwestman

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #19 on: May 25, 2007, 10:25:13 PM »
My site got hit with this exploit, 2 users were escalated and in addition the language file was modded. File systems permissions take care of the language file - and I changed all 1.3.2. code to implement the fix, but I have limited PHP knowledge so I'm not 100% sure I got it.

The source addr of the site that ran the code against mine - is oddly enough another BTIT site: http://torrent-bg.org/ (http://torrent-bg.org/) - I'm guessing the admin of this site is the one that came up with the exploit. If you check your qmail headers you should see something like this:

Received: (qmail 14253 invoked by uid 1009); 25 May 2007 23:03:01 +0300 - IP Addr of 82.103.99.9 (Lupin maybe you can check your email headers if this is how you were notified, I sent a bad message to get a bounce to retrieve this info).

I emailed the site operator asking him for exploit code and to retest the hack after my changes - whether or not they will reply remains to be seen. If I can prove the fixes I made for 1.3.2, I will post the updated files here.

If anyone has exploit code - msg me or reply to this thread so we can share/test the fixes made for 1.3.2.


gAnDo

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #20 on: May 27, 2007, 10:57:03 AM »
The exploit has always been there!
Upgrade your account_change.php asap.
It hasnt changed from previous versions so will not mess up your site.

canyin

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #21 on: May 27, 2007, 03:32:56 PM »
The same IP 82.103.99.9 hit my site also.I'm running 1.32.I took account_change.php from 1.43 and replace it. It can't be hacked anymore :)

locutius

  • Guest
Re: *** New Release - IMPORTANT FIXES ***
« Reply #22 on: June 03, 2007, 10:00:38 PM »
my sites also got hit. they played around with the tracker settings but could have done much much worse

WARNING: change the MySQL password which is displayed in your tracker settings

i have blindly followed gAnDo's suggestion and replaced account_change.php with the latest version from 1.4.3 ... i hope this will fix the exploit, thanks m8