Info Xuione 1.5.5 works and fixs

[go13]

Hi all,

I'm creating this article, which will serve as a working basis for decoded xuione files.

I'm personally working on version 1.5.5, but I also plan to work on other versions in the future.

Anyone interested in contributing to this work is welcome.

Feel free to request bug fixes if you know of any, or to request the addition of features to the panel.
Remember to edit your posts instead of writing new ones to ensure optimal readability.

To begin, I'm sharing the fix for the unlimited VOD connection bug in version 1.5.5.
This fix limits each user to a single IP address.

To view the content, you need to Sign In or Register.

you need to put vod.php in the xui/www/stream folder


Api.php Main bug fix 1.5.5 :

Spoiler: Api.php

https://www.mediafire.com/file/eaf1zv7xn6jv3tp/api_secure155.php/file

Nginx 1.28 :

Spoiler: Nginx 1.28

https://www.mediafire.com/file/3zmxqsm76cv0x5n/nginx/file

ffmpeg 6.1.1 (no GPU) :

To view the content, you need to Sign In or Register.

To view the content, you need to Sign In or Register.

 

[maxnet]

Thank you very much, dear... Please check what possibility there is to do the fix for version 1.5.5 ([CRITICAL] Patched an exploit in the System API that could allow for remote read and write if leveraged correctly.) since GTA only did it for version 1.5.3

 

[joelonlyne]

Hi all,

I'm creating this article, which will serve as a working basis for decoded xuione files.

I'm personally working on version 1.5.5, but I also plan to work on other versions in the future.

Anyone interested in contributing to this work is welcome.

Feel free to request bug fixes if you know of any, or to request the addition of features to the panel.
Remember to edit your posts instead of writing new ones to ensure optimal readability.

To begin, I'm sharing the fix for the unlimited VOD connection bug in version 1.5.5.
This fix limits each user to a single IP address.

*** Hidden text: cannot be quoted. ***




you need to put vod.php in the xui/www/stream folder

Hi mate,

Thanks in advance for the file.

You can count with me to make modifications in the core always when is not full obfuscated.

what ever you need I'm here we can share knowledge.

Cheers,
Joe

 

[Juanwom]

I can help, i have fix exploit in 1.5.5 main and lb

 

[maxnet]

I can help, i have fix exploit in 1.5.5 main and lb

Great, you can help me with the fix, I would be very grateful to you.

 

[go13]

Time is precious, so I can't just blindly throw it into every file.
If anyone knows exactly where to look for the vulnerability that was fixed by GTA, I could do the same.
If the information is sensitive, you can send it to me via PM.

 

[squallp]

Time is precious, so I can't just blindly throw it into every file.
If anyone knows exactly where to look for the vulnerability that was fixed by GTA, I could do the same.
If the information is sensitive, you can send it to me via PM.

Send me a private message and I will help you fix the API vulnerability that GTA has resolved.

 

[joelonlyne]

Send me a private message and I will help you fix the API vulnerability that GTA has resolved.

can you teach us how to do it?

 

[go13]

Thank you very much, dear... Please check what possibility there is to do the fix for version 1.5.5 ([CRITICAL] Patched an exploit in the System API that could allow for remote read and write if leveraged correctly.) since GTA only did it for version 1.5.3

I fixed the vulnerability.

Can anyone confirm that the vulnerability was in the api.php file in the /xui/www directory?

I fixed it in the main file. Can anyone confirm that the api.php file in the main file is the same as the one for the LBs?

Here's what I did:

There was a space that allowed write and execute permissions in the directory.
I reviewed the differences with version 1.5.13 and made a simple adjustment.


Nb:
I haven't tested it, could someone please provide feedback?

Please note that even without the fix, you can block access to api.php using nginx.

To view the content, you need to Sign In or Register.

 

[dreambox2011]

it would be great if you add updated ffmpeg thank you

 

[go13]

it would be great if you add updated ffmpeg thank you

I've already started.
By the way, could someone here compile the latest ffmpeg with everything needed for xuione or teach me how to do it, please? Thanks.

 

[maxnet]

I fixed the vulnerability.

Can anyone confirm that the vulnerability was in the api.php file in the /xui/www directory?

I fixed it in the main file. Can anyone confirm that the api.php file in the main file is the same as the one for the LBs?

Here's what I did:

There was a space that allowed write and execute permissions in the directory.
I reviewed the differences with version 1.5.13 and made a simple adjustment.


Nb:
I haven't tested it, could someone please provide feedback?

Please note that even without the fix, you can block access to api.php using nginx.

*** Hidden text: cannot be quoted. ***

Today I will leave it testing but the balancer's api.php is different from the main api.php, the balancer's api.php must also be patched.
thank you very much

 

[go13]

Today I will leave it testing but the balancer's api.php is different from the main api.php, the balancer's api.php must also be patched.
thank you very much

Okay, thanks for the feedback.
So, someone would need to give us the LB api.php decoded with goto, no problem.

 

[go13]

I compiled the latest nginx for xuione:

nginx version: nginx/1.28.0
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
built with OpenSSL 3.5.0 8 Apr 2025
TLS SNI support enabled

I also just compiled ffmpeg 6.1; it's currently in testing but seems to work well.

I know how to fully integrate it into the panel; I'll do so if it holds up.

I'll give an update when the tests are complete.

ffmpeg version 6.1.1 Copyright (c) 2000-2023 the FFmpeg developers
built with gcc 7 (Ubuntu 7.5.0-3ubuntu1~18.04)
configuration: --prefix=/root/ffmpeg_build --bindir=/root/bin/ffmpeg_bin/static
--pkg-config-flags=--static --extra-cflags=-I/root/ffmpeg_build/include --extra-ldflags=-L/root/ffmpeg_build/lib --extra-libs='-L/root/ffmpeg_build/lib -lx265 -lstdc++ -lm -lgcc -lrt -ldl -lnuma -lssl -lcrypto -static-libgcc -static-libstdc++ -lx264 -lass -lfontconfig -lfreetype -lz -lbz2 -lgmp -lunistring -lnuma -lpthread -lm -ldl -lrt' --enable-gpl --enable-version3 --enable-nonfree --enable-static --disable-shared --disable-ffplay --disable-debug --disable-doc --enable-openssl --enable-libx264 --enable-libx265 --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libass --enable-libfreetype --enable-fontconfig --enable-zlib --enable-bzlib --enable-postproc --enable-gray --enable-runtime-cpudetect
libavutil 58. 29.100 / 58. 29.100
libavcodec 60. 31.102 / 60. 31.102
libavformat 60. 16.100 / 60. 16.100
libavdevice 60. 3.100 / 60. 3.100
libavfilter 9. 12.100 / 9. 12.100
libswscale 7. 5.100 / 7. 5.100
libswresample 4. 12.100 / 4. 12.100
libpostproc 57. 3.100 / 57. 3.100

 

[waskip1]

> Hidden text, you need have 100 reactions, now you have 0 reactions.

wow, it will take me years to reach 100 reactions haha

thanks for posting this though

edit: I'm happy to help with any coding for php files

 

[go13]

as promised here is the new nginx for xuione :

Spoiler: Nginx 1.28

https://www.mediafire.com/file/3zmxqsm76cv0x5n/nginx/file

And ffmpeg recompiled 6.1.1 :

To view the content, you need to Sign In or Register.

To view the content, you need to Sign In or Register.

 

[dreambox2011]

hi go13 thank you for everything LB api.php need and . /home/xui/config/config.ini I wonder if you have a chance to encrypt the data in it, usually the

leakage is from here, they take our main or balance ropes and attack them and make bad use of them

I hope you will help thank you

 

[halitvhd]

as promised here is the new nginx for xuione :

Spoiler: Nginx 1.28

https://www.mediafire.com/file/3zmxqsm76cv0x5n/nginx/file

And ffmpeg recompiled 6.1.1 :


*** Hidden text: cannot be quoted. ***


*** Hidden text: cannot be quoted. ***

Hi, ffmpeg, ffprobe not working down all channels.

 

[go13]

Hi, ffmpeg, ffprobe not working down all channels.

chown xui:xui /home/xui/bin/ffmpeg_bin/4.3/ffmpeg

chown xui:xui /home/xui/bin/ffmpeg_bin/4.3/ffprobe

chmod 0550 /home/xui/bin/ffmpeg_bin/4.3/ffmpeg

chmod 0550 /home/xui/bin/ffmpeg_bin/4.3/ffprobe

reboot

 

[joelonlyne]

Recursively for all files inside xui

chown -R xui:xui /home/xui/