![[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.](https://www.headshotdomain.net/files/coRpSE/cnopseal_X74-MEW1.png "[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.")
Search found 1468 matches
Author
Message
Topic: get_user_field( benchmarking
Forum: PC & Codeing Talk Posted: Wed Jun 25, 2025 10:19 am Subject: Re: get_user_field( benchmarking
— Doug wroteThis specific function ( well, the original ) is publicly shared on GitHub.
You need to lead with that type of info instead of:
— Doug wroteI purchased a very large script many years ago from Josh ( I recently found out that he is also known by another name? ) for a pretty penny. One of the functions listed I have been rebuilding to suit my needs. I could use another set of eyes and perceptions to find faster functionality. I have decompressed the function and expanded to make easier reading ( Sorry for the mess in advance! )
That implies it wasn’t a "public" function and was from a paid script. I try to stay away from paid scripts to avoid drama from other developers upset about their code being altered or publicly shared without their explicit permission. (This all stems from my ClanThemes days).
Forum: PC & Codeing Talk Posted: Fri Jun 20, 2025 12:35 pm Subject: Re: Is PwnGuard Mod not contributing to the existing problem
— Doug wrote— coRpSE wroteDo me a favor, open your mainfile.php and find on line 59, what is NUKE_EVO defined as?
lines 57 through 62PHP: [ Select all ]
// Define File
define_once('NUKE_EVO', '2.0.9f');
define_once('EVO_EDITION', 'xtreme');
define('PHPVERS', @phpversion());
define_once('EVO_VERSION', NUKE_EVO . ' ' . EVO_EDITION);
define('PHP_5', version_compare(PHPVERS, '5.0.0', '>='));
That is the old version. We are on 2.0.10 now. My site here is still 2.0.9F, but I did all the security updates all ready to this site.
In the new version, is when we made the change and dropped the md5 hashing. I had informed the other nuke distros of the issue, but not sure if any of them have updated.
Forum: PC & Codeing Talk Posted: Fri Jun 20, 2025 12:19 pm Subject: Re: Is PwnGuard Mod not contributing to the existing problem
Do me a favor, open your mainfile.php and find on line 59, what is NUKE_EVO defined as?
I can tell you that your file does not match with what I have on my test site and what I just downloaded as the "latest build". I have a feeling, you have an outdated version. But the md5 has been gone for about a year now.
I explain it in the video.
I can tell you that your file does not match with what I have on my test site and what I just downloaded as the "latest build". I have a feeling, you have an outdated version. But the md5 has been gone for about a year now.
I went back and dug through the code and noticed the $prefex of first 5 characters... I assumed the first method would call for the 2nd precision match, but I don't see that in the curl call. Damn sure nothing pushed to third party, however it not goes back to accuracy? How does this come close to any type accuracy?
I explain it in the video.
Forum: PC & Codeing Talk Posted: Fri Jun 20, 2025 10:21 am Subject: Re: Is PwnGuard Mod not contributing to the existing problem
— Doug wroteQuestion #1: If the mod takes the input password, and converts it to SHA1 as well as uppercasing, then passes it to a third party website ( strtoupper(sha1($password)) ) . How accurate do you think those result matches are going to be considering that most websites do not even use similar crypt processes? Example:
d802f03b1278597a441a71b8a3fc0b32bb08cd46 AND D802F03B1278597A441A71b8A3fC0B32BB08CD46 are not identical inputs, yet producing the first one, and submitting it as the second method is not going to produce an accurate check.
For this check to even be close to accurate, you would have to take the input string, hash it with the top 10 most common methods INCLUDING the md5(md5(md5(md5(md5( method, and submit them as checks each to themselves.[/align]
You're right that different sites use different password hashing methods, and many apply salts, multiple rounds, or even proprietary schemes. However, PwnGuard is not attempting to guess how a site hashes your password. It checks whether a plain-text password (what the user inputs) has ever appeared in a known data breach.
HIBP (Have I Been Pwned) uses the SHA1 of the plain-text password in uppercase, which aligns exactly with how their k-anonymity API expects it. So if a user enters “mypassword123”, we hash it with SHA1, uppercase it, and send only the first 5 characters of that hash to HIBP. HIBP responds with a list of suffixes, and we check locally if the full hash is found in that list.
It’s not meant to match how Xtreme or any system stores passwords, it’s a breach check, not a replacement for login authentication.
— Doug wroteQuestion #2: Digging around the domain being submitted, there does not appear to be much information about what hash the passwords are being compared to, or if ( or can it be ) compared to a multitude of other hashes. Meaning: If the mod submits the sha1( string, but can not be compared to md5(md5(md5(md5(md5( (THIS is the method Evo uses) string, what would be the point of the check?
HIBP only supports SHA1 hashes of plain-text passwords, not MD5, not salted hashes, and definitely not deeply nested schemes like md5(md5(md5(...))). That’s by design. It's a breach notification service, not a brute-force matcher of unknown hashing schemes.
So no, we don’t submit multiple variants of the password using different hashing methods, because that would violate the entire point of using a privacy-preserving API, and be incredibly insecure and inefficient anyway.
— Doug wroteQuestion #3: Probably the most dangerous aspect, but why submit any password, let alone an unsalted password be broadcasted to a third party website? Would any of you submit your databases of passwords to be tested? If not, why are you publishing each log attempt to a third party website that you are unfamiliar with?
This is one of the biggest misconceptions. We never send the actual password, nor even the full SHA1 hash.
Here’s what happens:
- User types in their password.
- It’s hashed with SHA1 locally.
- We uppercase the result.
- We take only the first 5 characters of that SHA1 hash.
- That 5-character prefix is sent to
Please login to see this link
Get registered or Log in
HIBP then returns a list of matching suffixes (the remaining 35 characters) along with breach counts. This method is known as k-anonymity, it ensures HIBP never knows the original password or its full hash.
You can read about the privacy model here:
| Please login to see this link Get registered or Log in |
So the user’s actual password, or its full hash, is never exposed. Nothing identifiable is ever logged or transmitted.
I have a post about this mod here, and a video I did explaining this, (all in the first post).
| Please login to see this link Get registered or Log in |
— Doug wroteQuestion #4: Is it my memory that has faded so badly, but I could have sworn that Evo used a salting method at some point in history. Why is a salting method still not being used?
Xtreme previously used an MD5-based hashing system, but that is no longer the case. As of last year, Xtreme has moved to using PHP’s password_hash() function, which includes strong salting and modern hashing (e.g., bcrypt) by default. Whis was done in responce to a security issue that I found that could be exploited by bad actors.
PwnGuard doesn’t interfere with or replace that system, it works alongside it by checking whether the user’s chosen password is already known to have been leaked in previous breaches. If it has, the user is warned or prevented from using it, even before it’s hashed and stored securely using password_hash().
So rather than being a weakness, PwnGuard is an extra layer of protection before password storage ever happens.
Overall, to simplify everything,
- PwnGuard doesn’t try to reverse engineer hashing schemes.
- It checks plain-text password exposure, not how they are stored.
- No real passwords or full hashes are sent anywhere.
- It uses HIBP’s secure and pretty well documented API built with privacy in mind.
- It helps raise awareness, especially for those that reuse passwords across multiple places.
So, to answer your original question which is the topic title, "Is PwnGuard Mod not contributing to the existing problem?", my response is, Absolutely not. Not doing anything is to me contributing more than anything to the existing problem, which is growing. The people that stand to the side, bitch and complain, take no real action on their part, offer no good feedback, and overall stand on the sidelines stomping their feet like children when people don't bend to their every need is what is contributing to the existing problem.
If I come off as annoyed, I'll admit, part of my reaction comes from dealing with similar debates in the past, especially from some of the old Raven community, where the HP mod was called intrusive, among other things. So I may sound a bit blunt here.
With that said, I do want to be honest, and your post, especially the title, comes off a bit provocative. It frames the mod as potentially harmful without first checking the core details, which makes it feel more like a challenge than a request for clarification.
You raise four technically detailed questions, but I do have to ask, did you get a chance to actually look at the code or the accompanying documentation/video? For example, when you ask, "why submit any password, let alone an unsalted password to a third-party website," it seems like you might have missed how the mod uses k-anonymity and never transmits a real password or even its full hash. That’s something I covered pretty clearly in the video.
No hard feelings, I appreciate deep questions, but I’d encourage reviewing the material first so we’re all on the same page.
Topic: [FIX] Evo Shout Counter Bug
Forum: Nuke Blocks / Modules Support Posted: Sun Jun 08, 2025 11:11 am Subject: [FIX] Evo Shout Counter Bug
While looking at my site and here, I notticed if you typed something in the shoutbox, the counter would count down, (as it should), but when you hit Enter or clicked the submit, the counter didn't reset. So I went back to my local and realized, I forgot to put something that was on my local, into the release.
So, if you don't want to do the extremely simple edit, just redownload the module from either this site or my site, and just update the public_html/modules/Shout/includes/shout-block-script.js file with a fresh one from a fresh download, over writing the one that you have on your site.
If you want to do the edit, all you need to do is this:
OPEN: public_html/modules/Shout/includes/shout-block-script.js
On line 50 -51, FIND:
In between those lines, put:
So it should look like this:
Save and close.
Now, clear your browsers cache and your sites cache, and you are good to go.
I built the function, and I did put it in my local server, but, never put the trigger in the release version. Whoops.
So, if you don't want to do the extremely simple edit, just redownload the module from either this site or my site, and just update the public_html/modules/Shout/includes/shout-block-script.js file with a fresh one from a fresh download, over writing the one that you have on your site.
If you want to do the edit, all you need to do is this:
OPEN: public_html/modules/Shout/includes/shout-block-script.js
On line 50 -51, FIND:
Code: [ Select all ]
document.getElementById("message").value = '';
      fetchMessages();In between those lines, put:
Code: [ Select all ]
updateCharacterCounter();So it should look like this:
Code: [ Select all ]
document.getElementById("message").value = '';
      updateCharacterCounter();
      fetchMessages();Save and close.
Now, clear your browsers cache and your sites cache, and you are good to go.
I built the function, and I did put it in my local server, but, never put the trigger in the release version. Whoops.
Topic: New security added
Forum: WebSite Changes Posted: Wed May 28, 2025 10:39 am Subject: Re: New security added
Serious question for everyone.
I wrote this script, and I have been very vague on it, and I will give you more info about it. This system helps protect the website from hackers who try to mess with it by putting sneaky code into the address bar or links. It checks what people are sending to the site — especially strange characters or words that hackers often use when trying to break into the database (where usernames, passwords, and other info are stored). If it spots anything suspicious, it keeps track of who sent it (based on their IP address), and if they try it more than twice, it blocks them completely from accessing the site by adding their IP to the site's block list. It also logs the attempt so I can go back and see what happened. It doesn’t replace normal security, but it gives the site an extra layer of protection to help keep the bad guys out before they even reach the sensitive parts.
Sentinel should do this as far as I thought, but, I have never seen it protect from the attempts I have had in my site, and instead, I only find out about them from being in my error log. For those of you are site owners, you may recognize things like this in your error logs, (if you actually looked).
In the URL, you would see like:
There are a lot more, and I'm not going to list them all, but, these are things that have been used on my site in the last few days. My script, I have checking for common keywords, basic logic-based injections, and SQL comment symbols. Areas where I don't think Sentinel really does. I think that does deeper checks, but I don't know, I never looked at it. But now, if they try using any of those to test my site, which most of these are just bots testing my site for SQL vulnerabilities, their first 2 test give them nothing, but the 3rd attempt gives a 403 Forbidden Error.
I will release this eventually to the public, and if anyone wants to test it, I will ask at a future date.
But for now, I want to know if I should make a block that shows the last 10 IPs to be Perm-banned as well as make an easy copy & paste button that allows you to come by and see to copy all the IP's that have been added permanently and have it so you can copy & paste them into your .htaccess file. I kind of already wrote a test script, but haven't made it public. It has already the "deny from" in front of the IP, so it is truly a Copy & Paste system.
So, should this block be something I should finish and put on my site here?
I wrote this script, and I have been very vague on it, and I will give you more info about it. This system helps protect the website from hackers who try to mess with it by putting sneaky code into the address bar or links. It checks what people are sending to the site — especially strange characters or words that hackers often use when trying to break into the database (where usernames, passwords, and other info are stored). If it spots anything suspicious, it keeps track of who sent it (based on their IP address), and if they try it more than twice, it blocks them completely from accessing the site by adding their IP to the site's block list. It also logs the attempt so I can go back and see what happened. It doesn’t replace normal security, but it gives the site an extra layer of protection to help keep the bad guys out before they even reach the sensitive parts.
Sentinel should do this as far as I thought, but, I have never seen it protect from the attempts I have had in my site, and instead, I only find out about them from being in my error log. For those of you are site owners, you may recognize things like this in your error logs, (if you actually looked).
In the URL, you would see like:
- 'A=0
- '[0]
- %27 (URL encoded ')
- '123
- 1' OR '1'='1
- 1' AND '1'='1
- ' OR 1=1--
- ' OR 'x'='x
- ';--
- '--
- %23 (URL encoded #, SQL comment)
There are a lot more, and I'm not going to list them all, but, these are things that have been used on my site in the last few days. My script, I have checking for common keywords, basic logic-based injections, and SQL comment symbols. Areas where I don't think Sentinel really does. I think that does deeper checks, but I don't know, I never looked at it. But now, if they try using any of those to test my site, which most of these are just bots testing my site for SQL vulnerabilities, their first 2 test give them nothing, but the 3rd attempt gives a 403 Forbidden Error.
I will release this eventually to the public, and if anyone wants to test it, I will ask at a future date.
But for now, I want to know if I should make a block that shows the last 10 IPs to be Perm-banned as well as make an easy copy & paste button that allows you to come by and see to copy all the IP's that have been added permanently and have it so you can copy & paste them into your .htaccess file. I kind of already wrote a test script, but haven't made it public. It has already the "deny from" in front of the IP, so it is truly a Copy & Paste system.
So, should this block be something I should finish and put on my site here?
Topic: New security added
Forum: WebSite Changes Posted: Sun May 18, 2025 4:48 pm Subject: New security added
Lately, I have been getting a lot of sites testing the waters so to say, trying to see if they can do SQL injections on my site. They can't as far as I know, but, it was filling up my error log with their attempts. I don't know about you, but it really annoys me when I see my log having an error, and it turns out that someone is putting bad characters in a URL
So, if anyone that gets sent to this page:
Please, let me know what you clicked or what you did. I want to see if there are any false positives that happen.
Thank you.
So, if anyone that gets sent to this page:
| Please login to see this link Get registered or Log in |
Please, let me know what you clicked or what you did. I want to see if there are any false positives that happen.
Thank you.
Forum: In-The-Works Posted: Sun May 18, 2025 11:52 am Subject: Re: Evo_PwnGuard - (Login breached message)
I updated my first post with the video and a link to the demo that I show in the video.
Forum: In-The-Works Posted: Thu May 15, 2025 6:06 pm Subject: Re: Evo_PwnGuard - (Login breached message)
Okay, there has been some confusion on how this script works, so, I am going to make a video explaining it in a way that will make it easier to follow. There have been some concerns, and I am okay with that, this video will eliminate your concerns I hope.
Forum: In-The-Works Posted: Thu May 08, 2025 10:07 am Subject: Re: Evo_PwnGuard - (Login breached message)
I've updated my first post. I have released this script for anyone that like to add it to their site for added security for their users.