[Bloxx-develop] Bloxx Kaos

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm getting a little fustrated because i made bloxx_logs a doRender but =
i can test it because i cant figure out how to use <bloxx_mod> thing...
already tried stuff like <bloxx_mod module=3D"logs" view=3D"logs" =
param=3D"-1></bloxx_mod> and other things, but nothing.... :-/
i even cant figure how doRender is called :-/
First is doRender, after is a render function that call doRender, then =
there are lots of render* functions so a search doesnt help :-/

Anyway... after that i look at index.php and... i really dont know, but =
im getting the impression that anyone can call module and send commands =
with POST without any kind of restrictions?

if (isset($_POST['module']) && $_POST['module'] !=3D '')
{
        $modname =3D 'bloxx_'.$_POST['module'];
       =20
        include_module_once($_POST['module']);

        $mod =3D new $modname();
        $mod->processForm($_POST['command']);
}

I can call admin for example, in a site where admin was never configured =
:-/

And other things like...
if i have something like

class bloxx_something {

    function bloxx_something($blabla){
        $this->othervar =3D $blabla;
    }
    ...
}

and $this->othervar is a database var, it disapears :-/
I used a solution that was using another var that doenst is a db var, to =
handle $blabla value then copy it everytime i run a function :-/

Hasta ;-)