I'm going to be brutally honest. This code is not suitable for public use, at all.
First file I opened, first lines I read are a massive red flag. see: https://github.com/Snelvuur/SSMS/blob/master/addserver.php lines 15-23. Data is being taken from the $_POST superglobal and inserted into serveral variables Scroll down to about line 74. These previously referenced variables are being inserted directly into a mysql_query unsanitized. see: https://github.com/Snelvuur/SSMS/blob/master/rcon.php#L47 Data directly from $_GET is being used directly in a query, once again unsanitized. Plus, there's zero authentication in place for the "rcon.php" page itself, so virtually anyone can just waltz right in and start firing off RCON commands to the server, no matter who it is. Don't assume that "nobody can see the site, it's safe" - google has a way of finding these things, and script kiddies have their own way of following google in as well. You have multiple SQL injections throughout the code, and I only opened three files to look. XSS looks prevalent throughout, CSRF is easily possible, and at this rate I'm betting there's going to be a shell_exec() or an eval() vuln as well somewhere. http://lmgtfy.com/?q=mysql+sanitize+inputs+php ^ Start reading. To those who've installed this application, remove it *immediately*. > Message: 4 > Date: Sat, 14 Jan 2012 12:38:02 +0100 > From: "Eric Riemers" <[email protected]> > To: "'Half-Life dedicated Linux server mailing list'" > <[email protected]> > Subject: [hlds_linux] new tool for management > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > All, > > My contribution to management and automatic updates. I hope people find it > usefull. > https://forums.alliedmods.net/showpost.php?p=1623326&postcount=1 > > Erik > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
