I audited the stock charmover code and found a problem. If magic quotes is disabled it is possible to inject SQL, and since the utility requires UPDATE privelages on its acct this could be pretty bad.
the two variables plugged into the sql statements that come from user input are login server name and character name. In the stock build everywhere this occur come with single quotes around them. If magic quotes are disabled it would allow a user to inject a quote to get out of that particular literal.
If you have modified your charmover and have a user passed variable that is plugged into one of your sql statements,and that variable is not surrounded by quotes, OR you have magic quotes disabled you should fix it quick. If you are not sure one way or another you need to apply something like the code below.
FYI, magic quotes escapes any escape or quote in a user passed variable. The code below will add escapes to a variable if magic quotes is off.
Code:
if(!get_magic_quotes_gpc()) $lsusername = addslashes($_POST['lsusername']);
else $lsusername = $_POST['lsusername'];
there are SEVERAL places username and character name are pulled from the post array so check your code closely
must read for server ops: vulnerability in charmover
Threaded Mode
