PHPServerMon Public Page Hack

Table of Contents

Yes there is my modifications :

Create a Public user, give access to servers you want
Memorize the ID it gives to you
\src\psm\Service\User.php
Line 98 (after $this->session = $session;)

$kl = “”;
$kl = isset($_GET[“kl”]) ? $_GET[“kl”] : ”;
if ($kl == “public”){
$user_id = 3;
$this->setUserLoggedIn($user_id, true);
$user = $this->getUser($user_id);
$this->newRememberMeCookie();
}

When you will tap the URL http:/server/servermonitor/?kl=public it will take the Public account

This method use a particular userid so even if somebody change the password, the script will never use it anyway.

I changed something else to cut some menu items
\psm\Module\AbstractController.php

Line 271 : erase the server_update function, I think this is only the crontab need to make a status update and I seen some troubles when I make it manually.

$items = array(‘server_status’, ‘server’, ‘server_log’, ‘user’, ‘config’);

Line 274 : comment the entire items line, when you are only User (Public account) you don’t want to have other things to see other then the servers status page

//$items = array(‘server_status’, ‘server’, ‘server_log’, ‘server_update’);

 

Source is https://sourceforge.net/p/phpservermon/discussion/845823/thread/f1b2e4ff/#66a7

 

With some modes to the code.