GoFuckYourself.com - Adult Webmaster Forum - View Single Post

TheDoc · 12-26-2007, 03:14 PM

Smokey, I thought about this more.. I agree, but overall... Not really.

They can't run/upload/execute anything without it being a plugin / script uploaded via FTP first. You can't upload or add anything to the system via the NATS admin. Smarty won't run php, can't do includes, won't do redirects.. NATS locked down several exploitable parts of smarty already.

So other than direct join template changes or an iframe exploit in the admin templates (which would take 2 seconds to look and see).. I don't really think they could do much damage this way.

Now, they could have deleted members, webmasters, templates, sites, programs, ect.. A small issue needles to say.

12-26-2007, 03:14 PM
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	Smokey, I thought about this more.. I agree, but overall... Not really. They can't run/upload/execute anything without it being a plugin / script uploaded via FTP first. You can't upload or add anything to the system via the NATS admin. Smarty won't run php, can't do includes, won't do redirects.. NATS locked down several exploitable parts of smarty already. So other than direct join template changes or an iframe exploit in the admin templates (which would take 2 seconds to look and see).. I don't really think they could do much damage this way. Now, they could have deleted members, webmasters, templates, sites, programs, ect.. A small issue needles to say. __________________ ~TheDoc - ICQ7765825 It's all disambiguation