RevCMS Exploits.

[Brad]

Hey people,
My staff accounts seem to be keep getting hacked, I'm not sure how or whats causing this but it would be great if you could tell me how.

My hotel URL is :

You must be registered for see links

(I'm not advertising it's for you to check for yourself)
also Add me on skype if you have a clue on how to fix: Habsence

Thanks in advance

 

[Sledmore]

It could possibly be your changing name feature in the client. Doesn't appear to be the CMS, though Detro and other scripting clients will work on your retro.

 

[Brad]

It could possibly be your changing name feature in the client. Doesn't appear to be the CMS, though Detro and other scripting clients will work on your retro.

Ok thank you! , i've now disabled the change name feature and I will now Fix the scripting. Thanks Sledmore!

 

[JayC]

I was about to check it out and then I seen Sledmore gave the advice lol, chances are your problem is fixed

 

[Brad]

It could possibly be your changing name feature in the client. Doesn't appear to be the CMS, though Detro and other scripting clients will work on your retro.

Removing the change name seems to of fixed it, Thank you. A use came on with the username "hak0r" asking why he can't change names no more, Then he left after he said that lol. Thanks.

 

[Jerry]

Dayum, someone came on my RP earlier and scripted the staff bubble and made a room promo, since I saw this, Now I knew what was the problem.. Haha.

 

[Brad]

This has not been fixed, It's still happening. This is getting really annoying. He seems to be hacking staff accounts have any idea how?

 

[JayC]

Xampp or IIS?

 

[Brad]

Xampp or IIS?

IIS

 

[JayC]

I can see that on your register page your div box is not complete, causes of this can be not closing tags correctly, this means that the html file is trying to find an end tag, if people really know what they are doing they can use that tag to get into your database.. I am not a professional hacker I really don't care for hacking, but it is an exploit.

Example:

<div>
My Stuff

There is no </div> meaning people could use the unclosed <div> tag to get into your files..

Tags that DO NOT need to be closed:
<br>
<hr>


Solutions:
Recode your cms, (check for tags not closed at least)
or get a new one!

 

[saif]

Its the cms , because this has happend to my hotel I will try fix this exploit but first can you tell me which cms was you using before you changed the cms? And was you using The hk by lewislol? (just wondering)

 

[Valss]

Good luck

 

[Brad]

Good luck

with?

 

[Jerry]

Might be something with the Account Settings page, I heard the motto or somewhat can be changed into a rank script that can be exploited, Not sure.. Just heard.

 

[Brad]

Might be something with the Account Settings page, I heard the motto or somewhat can be changed into a rank script that can be exploited, Not sure.. Just heard.

It's not that there ranking themself there gaining access to any staff users accounts thanks though

 

[Brad]

I have now fixed the exploit, I forgot to remove the password recover function. Thank you for who tried to help me & did

 

[Stevee]

I was gonna say, that they could decrpyt passwords if your staff has played other hotels.. thats what certain people did to a certain hotel.