Hi, there. We've found PHP Serialize Injections in your project “torrentpier". According to the OWASP, it can pose a significant risk: enable an attacker to modify serialized objects in order to inject malicious data into the application code, resulting in code execution or an arbitrary reading of the file on any vulnerable system.
An authenticated SQL injection vulnerability exists in the moderator control panel (modcp.php). Users with moderator permissions can exploit this vulnerability by supplying a malicious topic_id (t) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database.
In torrentpier/library/includes/functions.php, get_tracks() uses the unsafe native PHP serialization format to deserialize user-controlled cookies:
Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to insecure deserialization.