this is child's play exploit, there are a few known injection methods CBC backdoors that can be applied to hosted server getting root access, without ever logging in as root or leaving history out from log. I mentioned from day one this was not a safe webplayer. The devs there can code but they are sloppy and don't patch known security bugs even if its reported to them. I have zero hope they will patch it, just make your panel read only after you have made changes.The easiest way to host your text
The ControlC pastebin is the original next generation tool for sharing text. We offer a full suite of tools and a affiliate program for users to make money. Formerly known as Pasted and Tinypastecontrolc.com
Shocking security on a smarters product strikes again
I also have an exploit for the V1 player (not the image upload one) - they really are poor at security.
take one, for example, you purchase their VPN panel service to run your own USA VPN servers yet somehow you get an Indian language google search and Indian ads. Think about it for a second. I did a good scan on the server and found a few things that I did not like, which is the reason I stopped using their VPN service. Their idea of running a VPN service for resellers is great but, their morals are wrong.
Absolutely! Even though they state "Note: We don't store playlist or user's credentials." on the player - this is obviously a lie.
I've reached Amar many times over skype and his employees. If you ever do a chargeback via Paypal don't let them convince you to cancel the claim. They won't fix their issues and run off with the money and render your services useless cause they never deliver anything. You won't get anywhere trying to talk to them.Absolutely! Even though they state "Note: We don't store playlist or user's credentials." on the player - this is obviously a lie.
Privately instances of the player, hosted by providers, can also be exploited in most cases so I'd recommend avoiding the player altogether until it is patched.
I tried to reach out to Smarters about details of the exploit but their info email address listed on their website doesn't even work
Hey there! Just wondering if you got my email as I haven't received a responseThe easiest way to host your text
The ControlC pastebin is the original next generation tool for sharing text. We offer a full suite of tools and a affiliate program for users to make money. Formerly known as Pasted and Tinypastecontrolc.com
Shocking security on a smarters product strikes again
I also have an exploit for the V1 player (not the image upload one) - they really are poor at security.
in order to fix this, you have to go and look at the code all over again, sanitize everything, and ensure there is a preventive action with restrictions. I don't think this is using PDO but changing your database outputs and inputs would help with SQL injections. Too much work buddy, you are better off using a player like Streamity that's on GitHub, this runs using react js and a well-known developer helps maintain it. It's also a free product from IPTV editor that player is also here on this forum.Hey there! Just wondering if you got my email as I haven't received a response
Just looking for a little more information
Actually I was hoping to find a more complete list since I found at least one member. I don't wanna go through and change everyone's password based on one member.
there is less than a 1% chance someone will attempt to crack those lines bud. They are more interested in well-known services. If you are running xui, you are pretty vulnerable. All it takes is a trial account to get access to every reseller and a password. Possible admin credentials as well. They can see who you get your restreams from etc. This leak should be the least of your worries.
Xui.one?
I believe there is a dev that made one for xui and streamcreed, NXT. I don't know about Xui.one but the panel itself sucks in general. The alternative panels that I know are safe for now are ACES, 1Stream, and ZAPX. I would avoid the nulled version of 1Stream going around.
Update hereHey there! Just wondering if you got my email as I haven't received a response
Just looking for a little more information
Streamity has one of the most glaringly obvious security issues. It’s not exploitable directly but can be used to explore server-side for weaknesses - I certainly wouldn't be comfortable using it without modifications.
everything has vulnerabilities one can exploit. Just have to find them. Being is still under development, exploits can be reported when found and patched. Unlike smarters, that's a whole other $ht show.
They do - but some mistakes should never be made. If the Smarters exploit is “child’s play” this one must be dog’s play…
