18 replies to this topic

[doddsey_65]

Hi,

I am currently working on a new project called Tutalicious. This will be a huge tutorial repository with a broad range of categories ranging from things such as Web Development, 3D modelling to things like how to change a car headlight.

Users can submit their own tutorials via a youtube embed link, or can create their own text tutorials.
You can also rate tutorials and view user information.

The site is currently in it's Beta stage and I would like you to test it and make sure there are no bugs however big or small. And if you have any crits about the layout then I am open to them too.

More features will be coming once the site is deemed stable enough to move on.

http://beta.tutalici.../php_freaks.txt
http://beta.tutalicious.com

Thanks.

[SocialCloud]

You have an XSS vulnerability with your search.

In Firefox version 13.0.1 the Sign in with Facebook button is a bit above the login and register buttons.

I would rather not create an account, especially without any clear indication what my errors in registering are. Do you have a test account?

[doddsey_65]

Hi,

The problems with the search are only when you type, all html is escaped properly on the actual pages.

As for the template, I have a new design in the works which I will be showcasing soon.

Thanks

[SocialCloud]

Taking a more in-depth look, I seem to have stumbled upon a test account testing sql injection

Anyways, I broke the submit by disabling javascript.

When you use firebug (in my case) to change the option value of the selection when submitting, it gives you a different page as to what it would be normally. What I'm talking about is, instead of a textbox for the link, it shows a content textarea.
Edit: I guess it defaults to a text-type submit, but it will continue even if you select "Choose a type"

The text-type submit does not work at all, and will continue to provide an error to provide an iframe link. Also when the error is given, the layout gets messed up.

Also when submitted, you aren't checking the extension of the file uploaded, I just uploaded two (two tests) "evil.php" files (blank) to your server. Also you should check if there are any vulnerabilities created from the submitting I did on your end other than the uploading. You should also be checking the iframe content, you say it must be youtube or vimeo on the home page, but a google iframe passed validation

Edited by SocialCloud, 11 February 2013 - 09:50 AM.

[doddsey_65]

Hi,

iframe validation is done when they enter the approval queue, that's why there is an approval queue

I just tried uploading php and a JS file as the thumbnail and those did not work. I am checking the extension of the uploaded file. Your uploads did not go through as there is no directory associated with you.
You also say you used SQL injection to gain access to a user account. You registered a username called " ' " (single quote). How is this sql injection? I realise though i should add a min length to usernames

Also the manipulation of select elements isn't important to me. If a user decided to manipulate the HTML then it is their fault if it breaks their experience.

[kicken]

You have XSS problem with your tags, eg:
http://beta.tutalicious.com/app/ph%3Cimg%20src=%22.%22%20onerror=%22alert(hi');%22%3Ep.  Chrome saves you by detecting it and striping it.  Other browsers may not.

You have an XSS problem with your signup form.  For example enter: "> <img src="." onerror="alert('Hi!');"><b id=" for the username and mis-matching passwords to cause an error.  The same issue is present if for the email field.

The same XSS problem exists with your login form as well.

[doddsey_65]

Thanks for they reply,

Errors such as that will only ever be visible to the user who does them, I will however fixx the issue.

Thanks

[Jessica]

You might want to read up on what XSS is.

[kicken]

Errors such as that will only ever be visible to the user who does them.

Wrong.  All someone has to do is craft a special URL then send it out to people.  Anyone who clicks that URL will then have that XSS problem. Someone can do quite a bit using XSS such as steal cookies, login information, personal details, etc.

http://bit.ly/XD0BVC <- click there for a sample (edit: in a browser that won't save you, such as firefox).

Edited by kicken, 11 February 2013 - 01:52 PM.

[SocialCloud]

You also say you used SQL injection to gain access to a user account.

Testing sql injection...and if I registered it then your registration doesn't work properly as it always showed an error.

Back on topic, another XSS vulnerability on the profile page with their website

Edited by SocialCloud, 12 February 2013 - 08:22 AM.

[doddsey_65]

Ok, thanks for the advice and bug testing.

I have removed all bugs mentioned and uploaded the new site design too.

If you find any more bugs please let me know.

Thanks

[kicken]

I have removed all bugs mentioned and uploaded the new site design too.

Your XSS vulnerability is still there.

[doddsey_65]

Can you be more specific. Which page?

[kicken]

The one I linked to up above:

http://bit.ly/XD0BVC <- click there for a sample (edit: in a browser that won't save you, such as firefox).

[doddsey_65]

Thanks, the error has been taken care of

[kicken]

Same problem exists with your tags still:
http://bit.ly/WrGb2C

[doddsey_65]

Thanks Kicken, that error has been taken care of.

[SocialCloud]

There is a broken link for the current avatar in settings. At least once you first register.

[teynon]

Just to add to some additional importance to the XSS vulnerabilities other users were discussing, visit: http://cwe.mitre.org...dex.html#CWE-79