Twitter

Share on Tumblr

Save this

This is what I found out, version 3.0.2.0.

// file
catalog/model/account/api.php

// function, AS is.
public function login($username, $key) {
    $query = $this->db->query("SELECT * FROM `" . DB_PREFIX . "api` WHERE `username` = '" . $this->db->escape($username) . "' `key` = '" . $this->db->escape($key) . "' AND status = '1'");

    return $query->row;
}

// Error
Notice: Undefined index: api_token in /var/www/html/patricmutwiri/upload/catalog/controller/startup/session.php on line 8
Fatal error: Uncaught Exception: Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '`key` = '3V8imKFDtRtwhqqz46sXzk0hdDPUJ0ThRaviGPuiC6Xu5iBpjvoDX0nQYoKNi54iIAYmTrK' at line 1<br />Error No: 1064<br />SELECT * FROM `wwvc_api` WHERE `username` = 'walts' `key` = '3V8imKFDtRtwhqqz46sXzk0hdDPUJ0ThRaviGPuiC6Xu5iBpjvoDX0nQYoKNi54iIAYmTrKCVnU71SToL9fpyjCrAJUGdknXHHqYZICH6CvS6Oa8r9hmN3w6x64qLzXYQ7tkvejOejGU1cDbB089ZEEdWHIuPHP1FAUcESHnEJaop23BKvcxbArJlVPg0N4W4AAoY9Lqohw0n8gJfBXYR9eY4BcI7gdFLTAcFE5I8Wy3AXcD9lgzQZvK5kFhgQSc' AND status = '1' in /var/www/html/patricmutwiri/upload/system/library/db/mysqli.php:40 Stack trace: #0 /var/www/html/patricmutwiri/upload/system/library/db.php(45): DB\MySQLi->query('SELECT * FROM `...') #1 /var/www/html/patricmutwiri/upload/catalog/model/account/api.php(4): DB->query('SELECT * FROM `...') #2 /var/www/html/patricmutwiri/storage/modification/system/engine/loader.php(248): ModelAccountApi->login('walts', '3V8imKFDtRtwhqq...') in /var/www/html/patricmutwiri/upload/system/library/db/mysqli.php on line 40

// FIX
public function login($username, $key) {
    $query = $this->db->query("SELECT * FROM `" . DB_PREFIX . "api` WHERE `username` = '" . $this->db->escape($username) . "' AND `key` = '" . $this->db->escape($key) . "' AND status = '1'");

    return $query->row;
}

// payload
<b>Notice</b>: Undefined index: api_tokenin<b>/var/www/html/patricmutwiri/upload/catalog/controller/startup/session.php</b>online<b>8</b>
{
    "error": {
        "ip": "Warning: Your IP 127.0.0.1 is not allowed to access this API!",
        "key": "Warning: Incorrect API Key!"
    }
}

As I work on a fix, help me out, just incase there's one already.