I figured I hadn't pissed off enough of the "prominent" people in the challengers community, so
here's another installment of rhican makes enemies the lolzor way.

among other places, there is an injection here:

http://[removed to protect caesum's site until he is active again - seconded by quangntenemy]/

our ""great"" caesum seems to think that filtering the ' character is enough to prevent an sql injection.

lulz @ http://www.caesum.com/handbook/exploits.htm



incompetence++

EDIT: what censoring me? check the end of this thread then.

I figured you shouldn't be posting it so publicly.
But I guess I'll leave it up to you / Caesum / the other admins.

I don't see the "post less public button" might want to get to work on that

I refer to the somewhat self-censorship of the exact exploit in a public forum such as this.

yeah i don't believe in that,

right. then perhaps you could complete your post with some suggestions of what should be done instead so that the rest of the community can learn from your experience.
unless, of course, you don't believe in that too.

if you read http://en.wikipedia.org/wiki/Self_censorship
you will learn that self censorship is a fear motivated act. And i refuse to act out of fear. (then the terrorists win, pun intended)

It's not my responsibility to fix it.

no one said it's your responsibility to fix it.
or your responsibility to do anything at all, for that matter.

i merely suggested that you don't post the exact exploit so that others don't put it to malicious use. it is, of course, my own opinion again, which you are free to disagree with anytime. we are all grateful for and clear of your noble intentions. i also added a suggestion to teach others how to prevent / fix it. it was a suggestions made of good intent in accordance of what i thought is your goal (educating the community). if you feel that it is a responsibility and you are not obligated to do so, again, feel free.

so i would make you happy if i told people about

int_val()
and
is_numeric()

As well as include this:
NEWS FLASH: user input is HOSTILE treat it as an enemy, check every bit, check cookies even though your website sets them, check anything and everything that is used as input ... as your mom would say, put that down, you don't know where it has been.

the problem is not in the posted exploit - exact or implied. if a problem exists, a user with malicios intent WILL find and exploit it themselves. i'm sorry, but i have to agree with rhican on this. if we have to count all our words, that's the use of speaking out? what would be the point of "having a public voice". sure he could've been more graceful in the way he put things, but if anything, posting the "whole exploit" just took some of the fun out of discovering it yourself.