I found a little SQL injection...
You don't clean the user_id and password after you unserialize it in include_common.php.
So I can log in as lucas.
Other than that, your forum is awesome!
-comex
You don't clean the user_id and password after you unserialize it in include_common.php.
So I can log in as lucas.
Other than that, your forum is awesome!
-comex
interesting
wow.. thanks.
i can't believe i overlooked that. but a lot of ttf is years old, before i got really strict with best practices.
i fixed it on my server, but not in svn. so.. word up to fellow ttf-admins!
i can't believe i overlooked that. but a lot of ttf is years old, before i got really strict with best practices.
i fixed it on my server, but not in svn. so.. word up to fellow ttf-admins!
committed as r153
also announced on the mailing list
also announced on the mailing list