Jump to content

BA - Beta Testing


Twister1004

Recommended Posts

I am needing testing of the website's vulnerabilities.

 

PLEASE NOTE: I have VERY VERY little experience to secure websites. Which is why I would like to do this.

 

If you find a security vulnerability, could you let me know and  also mention how to fix it as well. I will be doing research for it, but I would still like user input.

 

Also, this website is completely clean and only has certain data on it. Also, please feel free to use anything at your fingertips. You will not be able to crash anything of my personal property. 

 

Thank you very much.

Best Regards and have fun trashing my site :P

 

URL: http://projecta.ulmb.com

URL to required text file: http://projecta.ulmb.com/test.txt

 

Again I would like to thank anyone who helps me secure the site by your input!

Link to comment
Share on other sites

You should remove all of the ad pop ups until testing is done.

 

Cross Site Scripting (XSS):

You can submit code on comments and it'll execute.

http://projecta.ulmb.com/news.php?NUID=13

 

Cross Site Scripting (XSS):

You can submit code in profile fields and it'll execute.

http://projecta.ulmb.com/profile.php?p=4

 

MySQL Error:

http://projecta.ulmb.com/profile.php?p='

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /hosted/subs/ulmb.com/p/r/projecta/public_html/inc/functions.php on line 257

 

Full Path Disclosure:

http://projecta.ulmb.com/news.php?NUID[]

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 4

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 26

Link to comment
Share on other sites

You should remove all of the ad pop ups until testing is done.

 

Cross Site Scripting (XSS):

You can submit code on comments and it'll execute.

http://projecta.ulmb.com/news.php?NUID=13

 

Cross Site Scripting (XSS):

You can submit code in profile fields and it'll execute.

http://projecta.ulmb.com/profile.php?p=4

 

MySQL Error:

http://projecta.ulmb.com/profile.php?p='

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /hosted/subs/ulmb.com/p/r/projecta/public_html/inc/functions.php on line 257

 

Full Path Disclosure:

http://projecta.ulmb.com/news.php?NUID[]

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 4

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 26

 

I have fixed those problems, so those problems should be fixed =)!

 

Thank you for testing the website for me!

 

Also, for the pop-ups, I have no control about that. The web server I am using automatically pops those up. I'm buying a web server in a day or so.

Link to comment
Share on other sites

1. email address validation is missing, i created an account with email = 11

 

2. possible to register LINK while you are logged in.

 

3. xss (true) http://projecta.ulmb.com/news.php?NUID=11

 

4. possible to comment on posts that do not exist, and check the length of comments. http://projecta.ulmb.com/news.php?NUID=9999

 

5. on link http://projecta.ulmb.com/admin/ your refresh meta is not inside the head tag, so it dosnt work. well i am using chrome.

 <meta http-equiv="refresh" content="2 url='../'"/>

 

 

Link to comment
Share on other sites

When you get it on a new server post back and I will look at it more.  For now, the ads are far too annoying to do any kind of serious testing.  I was getting popups / overlays on every single page load.

 

The Webserver is set up finally!

 

The address is: http://artistbeginnings.com

 

There is also NO ADS... yet anyways.

 

1. email address validation is missing, i created an account with email = 11

 

2. possible to register LINK while you are logged in.

 

3. xss (true) http://projecta.ulmb.com/news.php?NUID=11

 

4. possible to comment on posts that do not exist, and check the length of comments. http://projecta.ulmb.com/news.php?NUID=9999

 

5. on link http://projecta.ulmb.com/admin/ your refresh meta is not inside the head tag, so it dosnt work. well i am using chrome.

 <meta http-equiv="refresh" content="2 url='../'"/>

 

I just went through all of the items you mentioned, and I have fixed them from as far as I can tell.

 

If you find anymore errors at all, please let me know.

 

Thank you again for testing the website!

Link to comment
Share on other sites

Your register form should re-populate the fields with the values when there is a validation error.  Having to re-fill the form is annoying and will deter people from registering.

 

Your age calculation seems to be a tiny bit off.  I was able to register successfully with a birthday that would make me 12 years old, not 13 like your error says you require.

 

When registration is successful, you should not show the registration form, and your message saying it was successful could be a bit bigger.  Also:

Your account was successfully created.

Please wait at least one(1) minute before you log into your account.

 

Why?  If they have to wait for an email confirmation, say that, don't just say wait one minute.  If there is some other reason for the wait, it sounds like something you need to fix, not just ask people to wait.

 

When posting comments, you seem to have some issues with slashes.  I posted the comment:

We say, "Welcome, O'neill!"

 

<a href="/"> / </a>

 

And what got posted was:

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n /

(or as the html)

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n<a href="\\\"/\\\""> / </a>

 

You are still vulnerable to XSS attacks in your comment area, see the comment here, from batest.  Click the link asdf

 

 

If I try and use the password recovery page, it tells me the birthday is invalid, even though I am entering the one i used on the registration page.

 

Link to comment
Share on other sites

Your register form should re-populate the fields with the values when there is a validation error.  Having to re-fill the form is annoying and will deter people from registering.

 

Your age calculation seems to be a tiny bit off.  I was able to register successfully with a birthday that would make me 12 years old, not 13 like your error says you require.

 

When registration is successful, you should not show the registration form, and your message saying it was successful could be a bit bigger.  Also:

Your account was successfully created.

Please wait at least one(1) minute before you log into your account.

 

Why?  If they have to wait for an email confirmation, say that, don't just say wait one minute.  If there is some other reason for the wait, it sounds like something you need to fix, not just ask people to wait.

 

When posting comments, you seem to have some issues with slashes.  I posted the comment:

We say, "Welcome, O'neill!"

 

<a href="/"> / </a>

 

And what got posted was:

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n /

(or as the html)

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n<a href="\\\"/\\\""> / </a>

 

You are still vulnerable to XSS attacks in your comment area, see the comment here, from batest.  Click the link asdf

 

 

If I try and use the password recovery page, it tells me the birthday is invalid, even though I am entering the one i used on the registration page.

 

I also noticed some more security vulnerabilities, and fixed them in the process as well.  The registration suggestions and issues, I have fixed. Although I'm not sure why it accepted someone at 2000, I tried and it only allowed 1999 or older. The comments, I will fix in time. I'm not sure exactly why its doing that. It shouldn't be adding that many slashes. However, I'll fix it once I can figure out the cause.

 

I will have to read more on XSS attacks then...

 

I really appreciate your help, I really do!

Link to comment
Share on other sites

There should be no reason to use stripslashes() on data coming from the database. If the data is being stored with escaping slashes, then something is wrong with the way it's being inserted to begin with, and that is what should be fixed.

Link to comment
Share on other sites

No, the problem is that the data is being escaped more than once. The OP needs to figure out why that's happening, whether it's due to magic_quotes_gpc() being ON, or just redundant/unnecessary code and correct the problem.

Link to comment
Share on other sites

use stripslashes when you echo out your message from your database

There should be no reason to use stripslashes() on data coming from the database. If the data is being stored with escaping slashes, then something is wrong with the way it's being inserted to begin with, and that is what should be fixed.

 

I am using stripslashes() upon output. However there seems to be an extra slash that it is not removing.

 

then use htmlspecialchars on the message just before inserting it into the database.

 

htmlspecialchars() will not fix this issue. It is more than likely due to what Pikachu2000 has said.

 

No, the problem is that the data is being escaped more than once. The OP needs to figure out why that's happening, whether it's due to magic_quotes_gpc() being ON, or just redundant/unnecessary code and correct the problem.

 

As far as I am aware, I am not using magic_quotes_gpc(). I am using mysql_real_escape_string(). I also just found out, I am using it more than once as well. So I will be spending my time formatting the site again with my functions.

Link to comment
Share on other sites

You wouldn't "use" magic_quotes_gpc(), per se. You do need to either ensure it's off by setting the directive in the php.ini file, or check for it with get_magic_quotes_gpc, then if it's on (and ONLY if it's on) you'd run stripslashes() on the incoming form data before escaping it. So it would be a function something like this:

 

function MAGIC_QUOTES_GPC_SUCKS($data) {
if( get_magic_quotes_gpc() === TRUE ) {
	$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}

 

Obviously, you'd need to add a check to make sure you didn't pass an array to the function, or change it to work with arrays.

Link to comment
Share on other sites

  • 2 weeks later...

You wouldn't "use" magic_quotes_gpc(), per se. You do need to either ensure it's off by setting the directive in the php.ini file, or check for it with get_magic_quotes_gpc, then if it's on (and ONLY if it's on) you'd run stripslashes() on the incoming form data before escaping it. So it would be a function something like this:

 

function MAGIC_QUOTES_GPC_SUCKS($data) {
if( get_magic_quotes_gpc() === TRUE ) {
	$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}

 

Obviously, you'd need to add a check to make sure you didn't pass an array to the function, or change it to work with arrays.

 

So basically if Magic quotes is on, I do NOT need to run mysql_real_escape_string?

 

Would it be better to keep using Magic_quotes or just turn it off?

Link to comment
Share on other sites

So basically if Magic quotes is on, I do NOT need to run mysql_real_escape_string?

 

That was the idea behind it when the directive was created.  It failed horribly at doing it's job and caused far more issues that it solved though, which is why it has been disabled by default for a while, and is finally being outright removed from PHP all together (as of 5.4).

 

You should always assume these settings when you code:

error_reporting=E_ALL

magic_quotes_gpc=Off

register_globals=Off

short_open_tag=Off

 

And code your scripts to work in that environment without errors.  In the case of magic_quotes_gpc, if it is on then you have to un-do it's effect by running everything in $_POST, $_GET, $_REQUEST, and $_COOKIE through stripslashes().  You can do this using a recursive function fairly easily, google can probably find you an implementation if you don't know how to make one.

 

Link to comment
Share on other sites

No; magic_quotes_gpc was a poor idea, and has been removed from php as of version 5.4. If magic_quotes_gpc is on, you need to undo its escaping with stripslashes, and use mysql_real_escape_string instead.

 

EDIT: Somehow missed the reply above, even though it was an hour earlier than mine . . .

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.