Flynax is susceptible to sql injectioni via the login, signup forms. Also, the sort_type variable is subsetible to http post. How do I sanitize these forms. Our competitors has been defacing our site for 3 days. Please help. I have a ticket open already.
Just curious, what Flynax version do you use?
the latest
Hi Joshua,
May we know what sort of attack this is? Did you redirect to a different site? It happened yesterday and we reported already to Support. For it happened for some time already and we usually clean up manually, and the way they attacked is that the attacker appended extra redirection code at the end of the .js files.
Hi guys.
Yes right, the mysql injection was found and fixed, thank you for the report Joshua!
We strongly recommend applying the fix ASAP:
1. Open file: /includes/classes/rlDb.class.php
2. Find the code:
See the next post to continue (forum prevented me to submit so long post).PHP Code:Only registered members can view the code.
Last edited by John; November 4, 2022 at 02:17 PM.
3. Replace with the new code:
4. Save changesPHP Code:Only registered members can view the code.
That is all!
Do you have problem with applying the fix? Submit the ticket to the tech dep at https://support.flynax.com/index.php...kets&_a=submit, guys will apply the fix for you!
John
Last edited by John; November 7, 2022 at 07:02 AM.
Hello John, It has problem when try to upgrade/renew an expired listing. It does not save pay_date field.Originally Posted by John
I recommend below correction.
Find:Change to:Code:Only registered members can view the code.Code:Only registered members can view the code.
where exactly did you replace this code? I replaced one with the code you wrote, but nothing changed, and there was no payment date either.
All occurrences of the code should be changed.
payment date is in database not here.
I found the code in 4 places, changed it in two places and it's good. So, if I understand correctly, should I change it in all four places?
Reply With Quote
