Info XUI.one Update 1.5.13

[urgodfather]

Update 1.5.13 Released
[CRITICAL] Patched an exploit in the System API that could allow for remote read and write if leveraged correctly.
[Core] Reverted EPG system to previous MySQL based system to fix a bug where EPG wasn't being retained.
[Core] Fixed EPG API calls and images

New Install:

To view the content, you need to Sign In or Register.

Upgrade:

To view the content, you need to Sign In or Register.

When you've installed this, update your load balancers from the Servers page. Once all load balancers are updated or reinstalled, click the red Lock icon in the top right and then select Regenerate Security Key. This will increase security and ensure nobody can replicate your streaming key and do anything malicious.

 

[maxnet]

Update 1.5.13 Released
[CRITICAL] Patched an exploit in the System API that could allow for remote read and write if leveraged correctly.
[Core] Reverted EPG system to previous MySQL based system to fix a bug where EPG wasn't being retained.
[Core] Fixed EPG API calls and images

New Install: *** Hidden text: cannot be quoted. ***


Upgrade: *** Hidden text: cannot be quoted. ***


When you've installed this, update your load balancers from the Servers page. Once all load balancers are updated or reinstalled, click the red Lock icon in the top right and then select Regenerate Security Key. This will increase security and ensure nobody can replicate your streaming key and do anything malicious.

query there is no patch for version 1.5.5

 

[TeslaVision]

This has nothing to do with the "hacks" that happened lately... People with XtreamUi got blackmailed as well btw...

 

[mroz]

Update 1.5.13 Released
[CRITICAL] Patched an exploit in the System API that could allow for remote read and write if leveraged correctly.
[Core] Reverted EPG system to previous MySQL based system to fix a bug where EPG wasn't being retained.
[Core] Fixed EPG API calls and images

New Install: *** Hidden text: cannot be quoted. ***


Upgrade: *** Hidden text: cannot be quoted. ***


When you've installed this, update your load balancers from the Servers page. Once all load balancers are updated or reinstalled, click the red Lock icon in the top right and then select Regenerate Security Key. This will increase security and ensure nobody can replicate your streaming key and do anything malicious.

welcome back @urgodfather

 

[Youmeirean]

query there is no patch for version 1.5.5

correct there no need for 1.5.5 with the latest offical now being 1.5.13

this is for licensed panels, don't install or update over a cracked version of this panel.

whats with all this false info all over WOI gta did not patch the crack nor did he intend to he simply sent out an update to patch the api vulns in the panel nothing more nothing less.

 

[TeslaVision]

whats with all this false info all over WOI gta did not patch the crack nor did he intend to he simply sent out an update to patch the api vulns in the panel nothing more nothing less.

He can't "patch the crack" he already stated that... Its something he can't patch...

 

[Youmeirean]

He can't "patch the crack" he already stated that... Its something he can't patch...

hence why i siad he hasnt patched the crack but yes he can if he wanted to by changing how the lic system works on uione but he cant be assed

 

[GTAXUI]

He can't "patch the crack" he already stated that... Its something he can't patch...

I can patch it, but it's pointless now because I'd have to recompile the php extension with new keys then change my license server to use the new keyw, then regenerate licenses for everyone who has legit licenses... What's the point, I'm not working on XUI anymore so

 

[TeslaVision]

I can patch it, but it's pointless now because I'd have to recompile the php extension with new keys then change my license server to use the new keyw, then regenerate licenses for everyone who has legit licenses... What's the point, I'm not working on XUI anymore so

i mean can't patch the current one... ofc you could redo but would be the case for newer versions at the end...

please bro if you can explain here publicly that even if you corrected a flaw it wasn't that the root cause of all what is happening as they are blaming your panel assuming that any XUI panel can be "hacked" just like that lol... (without server acces, stream key leak or any leak in first place giving reach to the API in first place...)

 

[GTAXUI]

i mean can't patch the current one... ofc you could redo but would be the case for newer versions at the end...

please bro if you can explain here publicly that even if you corrected a flaw it wasn't that the root cause of all what is happening as they are blaming your panel assuming that any XUI panel can be "hacked" just like that lol... (without server acces, stream key leak or any leak in first place giving reach to the API in first place...)

Okay so from my understanding based on what I've patched, the only method of firing the API command that would give read/write access to the filesystem and furthermore database extraction, requires being run from the main server IP or LB IP with the correct live streaming password. Alternatively you could try to exploit something else in XUI to call the API as localhost, like trying to get XUI to use file_get_contents().. but you'd still require the correct live streaming password.

But according to the logs, that's what someone has done, so it's possible! Now the live streaming password is derived from various variables including the license key, so a hacker with the right knowledge can derive the key if they knew the license key of the server... For those of you with cracked licenses, you all have the same license key! But for genuine users it would require a leak in theory...

Now if you've had an LB hacked into, they can look at the logs and get the live streaming password and they can also legitimately call the API. So the hacks coinciding with the leaked databases makes sense in this aspect.

Either way, you should update just incase.

 

[wil]

Okay so from my understanding based on what I've patched, the only method of firing the API command that would give read/write access to the filesystem and furthermore database extraction, requires being run from the main server IP or LB IP with the correct live streaming password. Alternatively you could try to exploit something else in XUI to call the API as localhost, like trying to get XUI to use file_get_contents().. but you'd still require the correct live streaming password.

But according to the logs, that's what someone has done, so it's possible! Now the live streaming password is derived from various variables including the license key, so a hacker with the right knowledge can derive the key if they knew the license key of the server... For those of you with cracked licenses, you all have the same license key! But for genuine users it would require a leak in theory...

Now if you've had an LB hacked into, they can look at the logs and get the live streaming password and they can also legitimately call the API. So the hacks coinciding with the leaked databases makes sense in this aspect.

Either way, you should update just incase.

hehehehehehe the teacher spoke and now hehehehehehehe they are mute now hehehehehehehehehe

 

[TeslaVision]

hehehehehehe the teacher spoke and now hehehehehehehe they are mute now hehehehehehehehehe

... He actually said what i was saying all along... He corrected an old flaw that could "potentially" help if many other things where matching, so need access to system api in first place which for 98% the "hacked" and "blackmailed" people came from what i'm saying since the start... Servers... I meand fixing that part is ok, but again getting access to any of the lb or the main servers itself is enough to do almost what ever you want even with this fix unfortunately... Don't let anything outside of your main and lbs access your db or system api, and ofc don't let anything access your servers, except http(s) ports... Or maybe you have troubles reading or understanding what even Gareth said here?... It is not XUI issue this situation and never has been, issue is as usual admin side...

 

[wil]

... He actually said what i was saying all along... He corrected an old flaw that could "potentially" help if many other things where matching, so need access to system api in first place which for 98% the "hacked" and "blackmailed" people came from what i'm saying since the start... Servers... I meand fixing that part is ok, but again getting access to any of the lb or the main servers itself is enough to do almost what ever you want even with this fix unfortunately... Don't let anything outside of your main and lbs access your db or system api, and ofc don't let anything access your servers, except http(s) ports... Or maybe you have troubles reading or understanding what even Gareth said here?... It is not XUI issue this situation and never has been, issue is as usual admin side...

but you said that it was a lie that GTA was trying to find a solution to this problem and you said it in such a confident way hehehehehehehe when he did know that he was in it and you said that someone was pretending to be him hehehehehehehe when he himself It was what contact to resolve it hehehehehehehehe

 

[TeslaVision]

but you said that it was a lie that GTA was trying to find a solution to this problem and you said it in such a confident way hehehehehehehe when he did know that he was in it and you said that someone was pretending to be him hehehehehehehe when he himself It was what contact to resolve it hehehehehehehehe

I assumed it was someone else pretending to be him as many did this... But if you read all my comments you will see that at one point i said that he actually did work on it but still at end is the same... He can't find a solution for a problem that is not from XUI... He fixed a flaw that could potentially be used if multiple admin errors matched and access to one of the servers... And again, if there access to servers this fix will not protect you :-/... It help only in case of admin leaving open access to system api to something else that "only their servers"...

 

[LurgogR]

Okay so from my understanding based on what I've patched, the only method of firing the API command that would give read/write access to the filesystem and furthermore database extraction, requires being run from the main server IP or LB IP with the correct live streaming password. Alternatively you could try to exploit something else in XUI to call the API as localhost, like trying to get XUI to use file_get_contents().. but you'd still require the correct live streaming password.

But according to the logs, that's what someone has done, so it's possible! Now the live streaming password is derived from various variables including the license key, so a hacker with the right knowledge can derive the key if they knew the license key of the server... For those of you with cracked licenses, you all have the same license key! But for genuine users it would require a leak in theory...

Now if you've had an LB hacked into, they can look at the logs and get the live streaming password and they can also legitimately call the API. So the hacks coinciding with the leaked databases makes sense in this aspect.

Either way, you should update just incase.

Hello, why not update FFmpeg ?

 

[TeslaVision]

Hello, why not update FFmpeg ?

He stopped working on xui longtime ago... He just did that little fix to add a little protection layer (and not leave his work bein targeted like it was last days...) just to exclude this from the equation... But who knows maybe one day he surprises us all... (would be nice hun? ^^)

 

[LurgogR]

He stopped working on xui longtime ago... He just did that little fix to add a little protection layer (and not leave his work bein targeted like it was last days...) just to exclude this from the equation... But who knows maybe one day he surprises us all... (would be nice hun? ^^)

especially for people who have a license, I think it's a shame not to have taken advantage of this loophole to do so.

 

[akawi11]

Hi, @GTAXUI
we miss the adrenaline of new updates, everyone excited

 

[Ruthless]

I can patch it, but it's pointless now because I'd have to recompile the php extension with new keys then change my license server to use the new keyw, then regenerate licenses for everyone who has legit licenses... What's the point, I'm not working on XUI anymore so

Thanks, sorry for all the fuckheads. I can't get my license from the site, will you be fixing that too? I have lifetime but can't get it lol

 

[HyperX]

So, we need to upgrade to new version?