deth4uall Posted June 8, 2012 Share Posted June 8, 2012 I am working on the v2.0 rewrite of my game and I even created a whole microframework for it so that I can quickly get it done. Right now however I am needing more testers because I am looking to get some good reliable feedback since the present players on the main server are too few to give me a wide range of feedback on it. The framework I created is at http://github.com/deth4uall/Obsidian-Moon-Engine/ if you want to check it out, released under BSD license. The link to the application in question is: http://testing.ultimate-battle-online.com/ and below is my phpfreaks.txt http://testing.ultimate-battle-online.com/phpfreaks.txt Link to comment Share on other sites More sharing options...
creata.physics Posted June 11, 2012 Share Posted June 11, 2012 do you have a demo account set up with a demo pin? Registration page says: Before you can continue registering you will need to choose how you will continue registering an account. With no options to follow. Can't really test anything without access to the script. Okay, noticed that register link on the index page takes me here: http://testing.ultimate-battle-online.com/main/start/ Should take me here: http://testing.ultimate-battle-online.com/main/register/ Registration failure, after form was process I recieved this error: Fatal error: Call to undefined function remove_invisible_characters() in /home/uboeleme/Obsidian-Moon-Engine/classes/core_security.php on line 112 Link to comment Share on other sites More sharing options...
deth4uall Posted June 13, 2012 Author Share Posted June 13, 2012 Right, thanks! I PMed you with some details until I get that fixed. Link to comment Share on other sites More sharing options...
deth4uall Posted June 13, 2012 Author Share Posted June 13, 2012 I have edited it so that it should be working right. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 7, 2012 Share Posted July 7, 2012 viewthread.php is vulnerable to XSS recommend strip_tags to sanitize the variables on that page. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 8, 2012 Share Posted July 8, 2012 please disregard last post it was a mix up with someone else?s thread. XSS: register.php login_name recommend strip_tags or filter_var Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted July 8, 2012 Share Posted July 8, 2012 The pin is forever 431 and the lock after 3 tries does not work. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 11, 2012 Share Posted July 11, 2012 Vulnerability description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. This vulnerability affects /main/register/. Discovered by: Scripting (XSS.script). The impact of this vulnerability Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Attack details URL encoded POST input display_name was set to " onmouseover=prompt(902527) bad=" The input is reflected inside a tag element between double quotes. URL encoded POST input email1 was set to " onmouseover=prompt(924240) bad=" The input is reflected inside a tag element between double quotes. URL encoded POST input email2 was set to " onmouseover=prompt(952274) bad=" The input is reflected inside a tag element between double quotes. URL encoded POST input login_name was set to " onmouseover=prompt(944670) bad=" The input is reflected inside a tag element between double quotes. How to fix this vulnerability Your script should filter metacharacters from user input. (IE strip_tags or filter_var ) Link to comment Share on other sites More sharing options...
deth4uall Posted August 17, 2012 Author Share Posted August 17, 2012 Thanks, I have changed that so that it will filter out the tags. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 17, 2012 Share Posted August 17, 2012 seems alot better but the login_name field is still vunerable to javascript input. i'll test more tommorow Link to comment Share on other sites More sharing options...
Christian F. Posted August 17, 2012 Share Posted August 17, 2012 The tip given from that scanner used by darkfreaks is not a good one. You should escape the output using htmlspecialchars (), not using a blacklist to filter out some of the known Bad Stuff ; You'll never know all of the Bad Stuff, after all. So better to make sure that whatever it is, it's considered as pure text as far as the browser is concerned. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 17, 2012 Share Posted August 17, 2012 that was from me. not my scanner. also you could do a better job of explaining why they are "bad" The PHP function striptagsis the classic solution for attempting to clean up HTML. It is also the worst solution, and should be avoided like the plague. The fact that it doesn't validate attributes at all means that anyone can insert an onmouseover='xss();' and exploit your application. While this can be bandaided with a series of regular expressions that strip out on[event] (you're still vulnerable to XSS and at the mercy of quirky browser behavior), striptags is fundamentally flawed and should not be used. anyhow Christian is right you do need to Escape any XSS on output of the variable. //safely outputs XSS $login_name= htmlspecialchars($_POST['login_name'],ENT_QUOTES,'utf-8'); also using htmlspecialchars by itself will not remove all types of attacks (javascript) because of the difference in quotes. if you want to securely remove XSS i would reccomend using htmlpurifier instead of built in php functions. Link to comment Share on other sites More sharing options...
Christian F. Posted August 17, 2012 Share Posted August 17, 2012 A bit of why it's considered "bad", is explained in the PHP manual itself. More specifically, in the warnings. There's also a thread @ StackOverflow that lists a couple more reasons, and then we have this article on why strip_tags is not enough. Hopefully that's enough of an explanation? Link to comment Share on other sites More sharing options...
deth4uall Posted August 30, 2012 Author Share Posted August 30, 2012 Oh okay, thanks that is good to know. I appreciate all the help I will get this included and uploaded as soon as I can Link to comment Share on other sites More sharing options...
darkfreaks Posted September 1, 2012 Share Posted September 1, 2012 you are down to one warning (GOOD) all you are allowing now is simple javascript attacks. you can do more validation with the login name //checking if login name contains letters or numbers only $variable = ctype_alnum($_POST['login_name') ? $_POST['login_name'] : 'Please post a username with Letters or numbers only!'; Link to comment Share on other sites More sharing options...
darkfreaks Posted September 12, 2012 Share Posted September 12, 2012 http://lmgtfy.com/?q=htmlpurifier+validation+php OP: might have thought using JS and ASP was going to get rid of inection but it still persists on your register page. please look into the above link. Link to comment Share on other sites More sharing options...
Recommended Posts