Getting info syntax line not secured

[skullmonkey]

Hello,
the line for getting statistics is giving the statistics witn ANY word entered as password

http://www.theunsubscriber.com/lm/lm.ph ... tinfo&pwd=ANYWORD

S@

EDIT: Actually any syntax for Admin works with any word as password.
For instance, the Diagnostics syntax gives away my SQLbase name, user and password.

 

[stanbusk]

You should contact your server about that. The PHP interpreter there is giving a 'true' value for comparisons whatever the text your enter. I have been selling MLM for more than 6 years and believe me, first time I see that, amazing!

 

[skullmonkey]

Hi stanbusk,

what exactly should I ask from my host department? Is it a string in php.ini that I should change...?

Thanks,
S@

 

[stanbusk]

In lm.php you will find a lot of lines like this one:


if ( $pwd == $admin_password ) { .....

where $admin_password is deifined this way:


if ( isset( $_REQUEST['pwd'] ) && !empty( $_REQUEST['pwd'] ) ) { $pwd = $_REQUEST['pwd']; }