Jump to content

There is a safety problem


fafakan

Recommended Posts

Hi fafakan. Welcome to the forum. Please have a look at this.

http://forum.phpvms.net/topic/3266-securing-directories/page__hl__%2Bsecuring+%2Bfiles

Please edit your post and get rid of that link. I would just send Nabeel a quick PM instead. Anyone browsing the forums can see that and a BUNCH of sites would be gone over night. I have already got rid of the ftp info on my files.

Link to comment
Share on other sites

  • Administrators

This would be an FSFK problem as well, anyone who has access to that URL would be able to download that config file, whether through phpvms or through the fsfk scripts

I'm hoping that VA owners made a restricted username/password for, and didn't use their main FTP user/password.

Link to comment
Share on other sites

Hi,

I've temporarily solved the problem.

How I dıd it?; I've changed the name of the module FSFK and the required changes done in FSFK.php, fsk_xxxxxx.tpl's and profile_main.tpl.

thus now the links can only be known by registered users. (no standard links more).

Cheers

Link to comment
Share on other sites

Hi,

Here is a another problem;

You can send PIREP's with FS Flight Keeper (software) to the site and these PIREP's are accepted without password and/or username.

Why is a username wıth a passward not required?

Normally you can enter userID and password in the FS Flight Keeper (Pilot Edit) but why is it not using during send the PIREP's?

Cheers

Link to comment
Share on other sites

  • Administrators

Hi,

Here is a another problem;

You can send PIREP's with FS Flight Keeper (software) to the site and these PIREP's are accepted without password and/or username.

Why is a username wıth a passward not required?

Normally you can enter userID and password in the FS Flight Keeper (Pilot Edit) but why is it not using during send the PIREP's?

Cheers

I elected not to do that because the usernames/passwords are transferred over plain-text. If there's a fake PIREP sent in, an admin can reject it, but if there's a snoop or something, then the username/password can't be sniffed out.

Also, I believe the username and password are stored in the config - the password is encrypted, and there's no way of getting the plain-text version back, so I can't gen/add that in

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...