My site

[rvt]

Let's see if I can explain this to you.

Fail 1) The very old SSl certificate. Looks like it came with XAMPP. As you seem incapable of grasping the basics, anyone with a copy of XAMPP also has a copy of your SSL certificate, and the private key needed to decode the traffic.

In simple terms, this means that your "extreme security" is actually no better than plain text over HTTP. Anyone in the world can decrypt your SSL traffic.

That certificate works fine if it's for testing on localhost (which is who it is issued to), but it is not supposed to be used on the wider internet.

Fail 2) Having written a patch designed to quickly plug XSS holes for tbdev, I think I would know if it was applied. You site will accept XSS attacks in at least 2 places, meaning I can steal cookies from your members.

Fail 3) Having also written a patch to quickly protect against stolen cookies, I can say that you haven't applied it.
Without protection from stolen cookies, I can then access their accounts.

Fail 4) Having further written patches to require the current password on email or password changes, guess what your site is lacking.
So after an attacker steals the cookies from your users, there is nothing to stop him changing their email and password, locking them out permanently.

Fail 5) Having also written a patch to stop users faking their connection IPs completely and easily, I can again say that this is not in place.
As long as I can tell your site that I am actually connecting from the whitehouse, good luck finding out who is attacking you and stealing the accounts of your users. You also cannot block their proxies, as they don't need to use any.
Fixing this is a requirement if you want to fix stolen cookies.

This isn't even touching on what can be done once an attacker steals an admin or sysop account.

If you cannot understand any of the above, then you have no business at all talking about security, let alone claiming to be totally secure.

If you cannot apply security patches to a basic source, you have no business claiming to have written your own custom code. We all know it's tbdev, applying a few patches does not a coder make.

[deadalive1]

Ouch, that site has more holes in it than Swiss cheese.

[nexztone]

good tell ^^

[DV8type]

Wait a second. Your saying:
1. You've already been hacked
2. You have rogue ex-staffers handling the DB (btw, nice job finding trustworthy staff)
3. Your doing a shitty job patching tbdev

Where do i sign up?

[danio]

/me joins the line

[pone44]

Good luck.

[Brandon]

Wait a second. Your saying:
1. You've already been hacked
2. You have rogue ex-staffers handling the DB (btw, nice job finding trustworthy staff)
3. Your doing a shitty job patching tbdev

Where do i sign up?

Sounds leet to me

[superseed101]

Weve generated random ssl keys and now have SSL Encryption. Weve added the patches and have plugged known holes. The site is nearly complete and we will start letting our uploaders get to our previous 207 torrents Thanks rvt for the help.

[rvt]

Not had time to check all, but glad you paid attention.

Try not to mention how "unhackable" you are in future though, because next time it'll probably be someone handing you your ass by sending all your users to a chinese virus site. The mention of how great your security is is like a challenge

Now that you've applied those patches, I'd recommend a comb through all your files when you get the time, and make sure that every _POST, _GET and _REQUEST is wrapped in sqlesc() before being sent to the database and htmlentities() before being output to page. It's not quick though, took me 3 days at 24/7 when I opened.
The sqlesc() will keep your database safe, and htmlentities() is the more permanent fix for XSS attacks.

After that, you may want to check out your forums quote function. Can't remember if it's hit tbdev yet, but a bug in there allows reading of staff forums by users. Again, it's not quick to fix, so you may want to ask an experienced coder for help on that.

[dunson]

Lollercaust