PHP WebUI Logon

[djone21]

My friend (splintax) wrote this page in php so that a user can enter their IP, port, username and password and it will load up the WebUI in their browser. Check it out, its very nice. Comments welcome

http://splintax.com/utorrent.php

[Stan]

would be nice if he releases the code... We dont know what he is really doing

[Gussi]

It's nifty, but there's really no use for it other than logging someones else username and password.... and that's not cool :/

[ICleolion]

no need for this unless the www.utorrent.com site is gonna add a WebUI logon button to the linkbar.

[Pleh]

if you have to enter your ip, port, username and password, why wouldnt you just type those into the addressbar and press enter instead of using the redirect thingy? seems like a needless extra step to me :s

[ICleolion]

Plus this will only work in browsers that allow user and pass to be in url

[Ultima]

What ever happened to splintax anyway? He hasn't been around in the longest time =o

[Lord Alderaan]

My scam alert just went off in my head.

Folks I suggest NOT using this cos it is guaranteed to give the owner of that webpage ur webui login information.

[dAbReAkA]

i dont think splintax is a person who steals private data.. anyways this is designed for mac (or aol) users it wont work on IE6 SP2 as ICleolion already said.. not that useful..

[Stan]

Lord Alderaan, thats why I request the source (its a simple script (if he is doing the right thing) I dont know why not)

[djone21]

I will speak to splintax later and see if he wants to release the code. I can assure you that he is not the type of person who would steal peoples personal data :/

[Ultima]

splintax has been a big contributor to µTorrent (heck, he's a member of the µTorrent Helper group), and unless there was some kind of problem that caused his absence from the community that I'm unaware of, I can advocate his trustworthiness as well.

Even still, I don't blame anyone for being wary with something like this.

[Stan]

Lets make something clear here, Im not discussing him in anything. If he release the code he will gain (more) credibility

[splintax]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>µT WebUI</title>
<?php
 // if running this on your own server, change this to your domain
 $d = 'splintax.com';
 if($_POST) { // if form has been submitted
 echo '<meta http-equiv="refresh" content="1;'; // site auto-refreshes
 // generate and refresh url
 echo 'http://'.$_POST["user"].':'.$_POST["pass"].'@'.$_POST["ip"].':'.$_POST["port"].'/gui/index.html';
 echo '" />';
 }
?>
<meta name="author" content="Scott Young" />
<meta http-equiv="content-type" content="text/html;charset=windows-1252" />
<style type="text/css">
* {margin: 0; padding: 0;}
body {font-family: tahoma, sans-serif; background-color: #666; color: #000; text-align: center;}
h1 {text-decoration: underline; margin-bottom: 10px;}
h2 {color: #fff; background-color: #333;}
div#m {border: 3px #999 solid; width: 20em; margin-left: auto; margin-right: auto; margin-top: 10em; padding: 10px; font-weight: bold; font-size: 0.5em; background-color: #<?php if($_POST) echo '000'; else echo 'ddd'; ?>; color: #000;}
input {margin-bottom: 10px; text-align: center;}
.submit {padding: 10px;}
.n {font-weight: normal;}
a {color: #555; text-decoration: none; background-color: #ccc;}
a:hover {text-decoration: underline; background-color: #bbb; color: inherit;}
</style>
</head>

<body>
<div id="m">
<?php
 if($_POST) {
 echo '<br /><br /><br /><h2>redirecting..</h2>';
 }
 else {
 $rnd = rand()%65534 + 1;
 echo '<h1>µT WebUI</h1>';
 echo '<form action="'.$PHP_SELF.'" method="post">';
 echo '<div>';
 echo 'ip address (yours by default)<br />';
 echo '<input name="ip" type="text" value="'.$REMOTE_ADDR.'" /><br />';
 echo 'port (randomized)<br />';
 echo '<input name="port" type="text" value="'.$rnd.'" /><br />';
 echo 'username<br />';
 echo '<input name="user" type="text" value="user" /><br />';
 echo 'password<br />';
 echo '<input name="pass" type="password" value="pass" /><br />';
 echo '<input class="submit" name="submit" type="submit" value="open webui" /><br />';
 echo 'written by scott young<br /><span class="n">valid <a href="';
 echo 'http://validator.w3.org/check?uri=http%3A%2F%2F'.$d.$PHP_SELF;
 echo '">xhtml 1.0 strict</a> / <a href="';
 echo 'http://jigsaw.w3.org/css-validator/validator?uri=http%3A%2F%2F'.$d.$PHP_SELF;
 echo '">css</a></span></div></form>';
 }
?>
</div>
</body>
</html>

Hi Ultima

I haven't been around in a while, since I've been a lot busier this year with school - final year

Nice to see some healthy skepticism though.

AFAIK there's no security risk with this, as it just passes your IP, etc. straight back to itself using POST. However I'm not a PHP expert, I suppose my server could be logging the postdata or something.

I really just wrote it to muck around with the CSS validator, I was trying to make a page that didn't throw any CSS warnings

edit: And just to make you more skeptical.. releasing the PHP source isn't really that helpful, since you can't 'compile it yourself' so to speak. I could still be running different code.

[dAbReAkA]

lol, too much echo-s

[Ultima]

@Stan: Yeah I know, I was just running along with what djone21 was saying

@splintax: Good to see you still alive And yeah, lol I'd been thinking the same thing (about the possibility that you could just release the source code and run different code xD). Oh well

[splintax]

dabreaka: Yeah, I just kept adding more things to that section of it, and I don't like escaping out of PHP.

/me is surprised a thread about a script which accepts a variable then puts it as part of a URL has lasted so long

[Lord Alderaan]

Please accept my apologies splintax.

It wasn't my intention to say anything bad about you. Even if you were an unkown person to this community.

I should have added that even if the owner of the page gets the info it doesn't mean he's gona abuse it. And now that I look at the full source it your logging has to be fairly extensive to aquire the data now. A GET form for example would have shown the info in your website log. That doesn't say anything about someones intentions ofcourse, but the info would be there stored on your server all the same.

Still I would warn against creating this kinda pages. Its very easy for someone to take your code. Include some php to store the details and then post it here and say "Hey try this one, I made one too."

There are enough people out there that are prepared to do something like this then ruin someones torrents just to gloat over the 'stupidity' of the guy he just harrassed just to make themselves feel better.

[dAbReAkA]

splintax, i dont like escaping out of php too.. i just use one big block and i echo it like:

echo '<h1>µT WebUI</h1><form action="'.$PHP_SELF.'" method="post"><div>';

instead of:

echo '<h1>µT WebUI</h1>';
 echo '<form action="'.$PHP_SELF.'" method="post">';
 echo '<div>';

[Stan]

great splintax!

[Raaz]

Or if you want linebreaking in code:

echo ('<h1>µT WebUI</h1>
<form action="'.$PHP_SELF.'" method="post">
<div>');