Is there any possibility, to use the Viewer of this Script, to bind in a website like the viewer of tswebtec.com?


sorry for my bad english :P

There is a vulnerability with GLLCTS2.

It's possible to preform a sql injection with login.php

Fox fix this open login.php and in line 20:

$r = query("SELECT * FROM $dbtable1 WHERE server_id='$_GET[detail]'");

And replace:


$id_serveur = mysql_real_escape_string($_GET[detail]);
$r = query("SELECT * FROM $dbtable1 WHERE server_id='$id_serveur'");

You can replace $id_serveur by $server_id ! :p

!UPDATE!
There is a second vulnerability.

In listing.php you can perform a SQL injection with $sort.

Fox fix this open listing.php in line 30 search:
$sort = $_GET["sort"];

Replace With:


//Fix $sort (SQL Injection) by Zup Arkhen (http://www.mondesvirtuels.info)
switch ($_GET['sort'])
{
case "server_password":
$sort = "server_password";
break;
case "server_name":
$sort = "server_name";
break;
case "server_ip":
$sort = "server_ip";
break;
case "clients_current":
$sort = "clients_current";
break;
case "clients_maximum":
$sort = "clients_maximum";
break;
case "server_platform":
$sort = "server_platform";
break;
default:
$sort = "server_name";
break;
}

I'm running this script for a while now. It's a fine scripts, and usefull, because I have 3 servers running at this moment.

So keep it on with this good work!