Jump to content


Photo

made from scratch forum


  • This topic is locked This topic is locked
19 replies to this topic

#1 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 01 May 2013 - 11:35 AM

Just got back into PHP after a few years away from it.

Been working on this forum script to kind of re-hone my skills:

 

Verification: http://www.inobb.net/phpfreaks.txt

demo: http://forum.inobb.net

 

login: test@test.com

pswd: testing01

 

Just want to see if I have any security issues, and anything else if you guys wanna just play around with it a bit.



#2 doddsey_65

doddsey_65

    Advanced Member

  • Members
  • PipPipPip
  • 904 posts
  • LocationNorth East UK
  • Age:26

Posted 05 May 2013 - 07:27 AM

I logged in and the message said your reply has been posted.

 

XSS problems here http://forum.inobb.n...rum.php?forum=4

 

Should use strip_tags() here http://forum.inobb.n...topic=17&page=1

 

Got this when saving a signature

Warning: include(includes/lang/lang.Choose a Language.php) [function.include]: failed to open stream: No such file or directory in /home/content/44/10959644/html/forums/header.php on line 8

Warning: include() [function.include]: Failed opening 'includes/lang/lang.Choose a Language.php' for inclusion (include_path='.:/usr/local/php5_3/lib/php') in /home/content/44/10959644/html/forums/header.php on line 8

Test and help out with a new
100% open source forum package: A Simple Forum
Check the A Simple forum Github Page
Visit my Github profile to see what I work on.

#3 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 05 May 2013 - 06:01 PM

Alright, issues taken care of. No more XSS vulnerabilities as far as I can tell.

The include error was just a bad cookie set. :/ solved as well.



#4 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 06 May 2013 - 08:46 AM

XSS vulnerability in viewthread.php.  I put in "><iframe> and it broke the rest of the page.



#5 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 06 May 2013 - 09:34 AM

Man, seems XSS attacks are more of a problem than sql injection now days. I think I've got the issue fixed with iframe breakage. 



#6 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 08 May 2013 - 10:02 AM

Another XSS vulnerability in your bbcode.  A user can enter XSS via "javascript:" and it will be inserted into the href.

There are also XSS vulnerabilities via bbcode in the signature as well.

 

Example:

url=javascript:alert(String.fromCharCode(88,83,83))]Click Me[/url]

 

 

Also, I sent a message to Lemon.  You should see if there are any XSS vulnerabilities via that as well.

 

Edit: Basically anywhere that you are converting BBCode is vulnerable.

 

http://forum.inobb.n...p?topic=3 is giving header errors.


Edited by SocialCloud, 08 May 2013 - 10:12 AM.


#7 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 09 May 2013 - 12:55 AM

K, made it where bbcode links send http request. Seems to have stopped javascript from being able to run and throws a website unavailable page.

Also used some regex to replace some items to Not Allowed, will keep looking into finding a more suitable way of dealing with this one.



#8 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 10 May 2013 - 11:37 AM

A few bugs:

 

XSS vulnerability in the title when creating a new topic.  As seen in the introductions section.

 

The options only work on the test forum?

 

Your track topic option doesn't alert the user that it was successful, or that you did anything upon click.

 

The profile settings do not update upon the next page load.  It will confuse some users into updating twice.

 

I have no idea what you're doing with your search, but some posts I search for just come up as "..."

 

You're allowing the user to track the same topic multiple times.

 

Weird post numbering?  Each page has almost the same number for each post.

 

If the topic does not exist, ie ?topic=9 you are showing a notice.

 

A user can supposedly reply to a topic that does not exist by changing ?topic= in the URL.

 

A user can supposedly create a new topic in a forum that does not exist by changing ?topic= in the URL.



#9 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 10 May 2013 - 03:05 PM

That's more like it, gives me a few things to work on. These are things(though I know of some of the bugs such as changing the url to post and reply), that I tend to overlook while coding this. Helps to have the extra set of eyes, thanks for this list SocialCloud. I'll work on it for a couple days and when it's nice and clean I'll drop another post.

 

And what options do you speak of only working in the test forum?

 

And the search, yea I'm actually working on a more external script for that one. I don't like the way it functions.

 


Edited by InoBB, 10 May 2013 - 03:07 PM.


#10 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 10 May 2013 - 05:21 PM

Okay, so everything was much easier than I figured it was going to be.

 

    1) XSS null from topic title

    2) Need to clarify with you what options don't work except in test forum.

    3) Track topic now has a redirect with notification (Looking at going into Jquery with ajax for this).

    4) Profile settings still won't update, unless I refresh the page completely. I guess since in a form(Also looking into Jquery with Ajax to fix).

    5) Search is getting a complete restructure. Will come back on that at a later date.

    6) Users can no longer track same topic multiple times.

    7) Post Numbering is correct now(Looking into setting the OP separated from replies, for the numbers sake, they need love...).

   8 ) Had debug error reporting on, forgot to remove it the other night. No more notices.

    9) Users can "supposedly" reply to non-existant topics, or put topics in non-existant forums BUT their posts go exactly where they are supposed to either way. Will look deeper into this issue.

 

Your awesome.


Edited by InoBB, 10 May 2013 - 05:23 PM.


#11 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 11 May 2013 - 03:13 PM

    2) Need to clarify with you what options don't work except in test forum.

    4) Profile settings still won't update, unless I refresh the page completely. I guess since in a form(Also looking into Jquery with Ajax to fix).

 

Ok, for #2, I meant the latest reply box thing.  It only works if there has been a reply in a thread, but not when a topic is created.

 

For 4, you can do something like:

<input type='email2' name='email2' id='email2' size='30' value='<?php echo(isset($_POST["email2"]) ? htmlentities($_POST["email2"]) : htmlentities($original)); ?>' class='text-input' />

Refer to the sentence below.

 

Also, during figuring out settings, there's another XSS vulnerability in it.  A user can end the value='' by inserting a single quote.  Example on the test account settings.

 

Edit: All the img src are vulnerable to XSS in the src='' by the same method.  Put your mouse over the image.  Also looks like your new pagination doesn't work.


Edited by SocialCloud, 11 May 2013 - 03:28 PM.


#12 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 11 May 2013 - 03:43 PM

Also, could you send the test account a private message?  For testing purposes.



#13 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 11 May 2013 - 09:03 PM

Lol you were probably messing with it while I was in the middle of making changes :) The pagination works beautifully now. I went ahead with the JQuery AJAX form method, has better indication of something happening once a form is submitted. Removed the ability to use onmouseover, onmouseout, and other similar tags.



#14 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 11 May 2013 - 10:38 PM

Looks like I was.  The XSS still exists in the avatar URL.  I broke the login when testing the email field so I'll leave that up to you.

 

When editing settings with JavaScript disabled, it leaves the user on a blank page.

 

It seems your BBCode is no longer automatically entering itself into the textarea upon click.  As in: If a user clicks link, it doesn't insert.

 

A user can break the page by adding more than 1 page in the URL.  Example: http://forum.inobb.n...6&settings  Not that much of a bug but still

 

 

Very big bug (severity wise):

 

A user can edit any post by changing ?edit= in the URL.  Refer to introduction thread.


Edited by SocialCloud, 11 May 2013 - 10:49 PM.


#15 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 12 May 2013 - 03:33 PM

Not sure what you did to "break" the login. Maybe you can clarify what strings were input to bypass the "email" field type.

I've tried posting everything I could possibly come up with across several different browsers and if I don't at least put a "c@c" style input, all I keep getting is "Invalid E-mail." error.

Only issue I've found, is if I construct different forms off-site, and change the input field types, then there were issues. Working on a better server-side validation for this.

 

No more blank page with javascript disabled. And fixed the BBCode, tried to move the script into an external file, did not work apparently.

And fixing the above issue fixed the updating of information issue in one swoop as well. Love accidental progress.

 

Adding more than 1 page in the url does not concern me as it will only break the page for the user making the action. Maybe at a later date when I've tackled the more concerning problems.

 

And yes, that was a nasty bug, fixed as well. Can no longer edit different posts by changing url.

When clicking on the (last post) options, the page of the post in the URL is always 11.

If a topic only has one post (just created), the pagination displays Page 0 of 0.

Your registration is broken.

The site needs better CSS for FireFox. As far as I looked, the reply/edit/etc. page and profile settings page are messed up.

You need to implement nl2br() for line breaks.

 From over there, all issues solved as well. Not sure about how registration is broken, I registered several test accounts without issues.

 

Maybe you could supply a screenshot of what your talking about in the FF CSS. What version of FF are you using? I've personally tested in Moz4.0.1 and Moz5.0


Edited by InoBB, 12 May 2013 - 03:38 PM.


#16 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 12 May 2013 - 04:29 PM

The login was broken when I tested XSS on the email field.  It changed it to 'onmouseover or something.  When I logged out I couldn't figure out what I had entered so it would keep saying invalid credentials.

 

Your registration layout was broken earlier.  It seems you've fixed it now.



#17 Coreye

Coreye

    PHPHelpCenter.com

  • Members
  • PipPipPip
  • 537 posts
  • LocationFlorida

Posted 14 May 2013 - 09:20 PM

Full Path Disclosure (https://www.owasp.or...Path_Disclosure):
http://forum.inobb.n...rum.php?forum[]

Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given in /home/content/44/10959644/html/forums/viewforum.php on line 32

 

Error when editing a thread:

Warning: mysqli_stmt::bind_result() [mysqli-stmt.bind-result]: Number of bind variables doesn't match number of fields in prepared statement in /home/content/44/10959644/html/forums/postreply.php on line 158

 

BBCode breaks when you copy and paste.

VTc.png

 

[img] BBCode does not work.

 

You can post blank posts by using HTML tags.

WTc.png

 

Settings page over lapping:

XTc.png

 

You can post blank topics by pressing by using the space bar.

YTc.png


Edited by Coreye, 14 May 2013 - 09:20 PM.

PHP Help Center - PHP Help and Security Testing.  :)


#18 InoBB

InoBB

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 15 May 2013 - 12:36 AM

Yea all stuff that I caused today with a major overhaul of the posting system. :)

Most of it should be cleared away aside from anything inside the profile area.

Changing the posting from reg text area to text editor caused a massive overhaul of code.


Edited by InoBB, 15 May 2013 - 12:46 AM.


#19 Irate

Irate

    Advanced Member

  • Members
  • PipPipPip
  • 358 posts
  • LocationHamburg, Germany
  • Age:17

Posted 29 May 2013 - 10:17 AM

Psst, try checking if you covered yourself against these vulnerabilities ;)


Quod placet mihi non placeat tibi. - What I think to be good must not always equal your perception of it.

I am not perfect. I try a lot with the code I provide and I don't guarantee for it to work as I have mostly no option to test it on my mobile phone. I do apologize for any inconvenience I caused, but if I do happen to have helped, liking my posts or marking them as to have solved or answered your question would be nice.

#20 darkfreaks

darkfreaks

    Advanced Member

  • Members
  • PipPipPip
  • 4,942 posts
  • LocationAustin,Texas

Posted 30 June 2013 - 12:49 AM

you also have MYSQL injection in viewthread.php

suggest using PHP PDO to Squash this






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com