Coreye

Where do you login/register? http://projectpress.org/devel/ shows the below for me.

I'd set up a demo on your domain and I'm sure a bunch of people will test it. Some people may not have the time to download it and install or simply don't want to waste time doing it. I may install it tomorrow and I'll give feedback but a demo would be best.

It worked for me.

SQL Error: http://2.0.demo.elematacms.com/?id=' SQL Error: http://2.0.demo.elematacms.com/admin/index.php?action=edit&type=page&id=' SQL Error when deleting pages that don't exist: http://2.0.demo.elematacms.com/admin/index.php?action=delete&true=1&id=2 Full Path Disclosure: http://2.0.demo.elematacms.com/?s=%3Ch1%3Etest Full Path Disclosure: http://2.0.demo.elematacms.com/functions/replace.php Full Path Disclosure: http://2.0.demo.elematacms.com/admin/content/dashboard.php Full Path Disclosure: http://2.0.demo.elematacms.com/admin/content/edit_page.php Full Path Disclosure: http://2.0.demo.elematacms.com/admin/content/pages.php Full Path Disclosure: http://2.0.demo.elematacms.com/admin/content/settings.php Full Path Disclosure: http://2.0.demo.elematacms.com/admin/content/themes.php Directory Listing: http://2.0.demo.elematacms.com/functions/ Directory Listing: http://2.0.demo.elematacms.com/admin/content/ Directory Listing: http://2.0.demo.elematacms.com/Connections/

You should remove all of the ad pop ups until testing is done. Cross Site Scripting (XSS): You can submit code on comments and it'll execute. http://projecta.ulmb.com/news.php?NUID=13 Cross Site Scripting (XSS): You can submit code in profile fields and it'll execute. http://projecta.ulmb.com/profile.php?p=4 MySQL Error: http://projecta.ulmb.com/profile.php?p=' Full Path Disclosure: http://projecta.ulmb.com/news.php?NUID[]

Smiles mess up links: http://vibe.l2earth.ca/index.php?module=forums&t=124#p128.

It's still doing it for me. The index is linking to http://vibe.l2earth.ca/index.php?module=forums&t=119 instead of http://vibe.l2earth.ca/index.php?module=forums&t=116#p119.

The link on the index for the forums is wrong. http://vibe.l2earth.ca/index.php?module=forums links to http://vibe.l2earth.ca/index.php?module=forums&t=114 for the latest reply. It should be linking to t=113.

When you enable JavaScript http://vibe.l2earth.ca/?noscript=1 just refreshes. You can reply to threads that don't exist. http://vibe.l2earth.ca/index.php?module=forums&t=9999 Max length of subjects should be hard coded. http://vibe.l2earth.ca/index.php?module=forums&t=100 You can lock/unlock threads you didn't create.

I uploaded it to a server, extracted it and I get the below error when I try to view any file. PHP Version 5.3.8.

Happy New Year everyone!

Was this looked into? I'm now getting: I tried to register with "Corey" as my username.

XSS Vulnerability: http://www.calicosoft.com/community/topic-116-ou.html The "Edit" field is vulnerable to XSS attacks. XSS Vulnerability: http://www.calicosoft.com/community/downloads-category-4-CalicoKB-Themes-amp-Modifications.html The "Title" field is vulnerable to XSS attacks. When you use the "YouTube" BBCode the video doesn't show up and "0" is placed in the content box. If the subject has "Y" in it the letter is removed. You get the below error when PMing people who DO exist.

When you delete a thread it still shows up on the index and errors when you try to view it. If you include <script> in the subject when editing a thread the page just hangs. Wnen I created a new thread it went to page 2 instead of the the thread or the page the thread is on. Why? When I clicked the thread pagination the header, the shout box and thread tools were added twice. As seen here: http://i.imgur.com/EnAac.png.

Long subjects cause a "Forbidden" permission error.

XSS Vulnerability: If you include code in the subject field it'll execute when replying to a thread. http://www.calicosoft.com/community/index.php?act=reply&tid=104 Slashes are stripped from the subject and can result in blank subjects. The redirect on thread creation will also error.

The Topic field is vulnerable to XSS attacks. I have http://www.calicosoft.com/community/forum-2-Testing-Forum.html redirecting to this thread. I registered with real information and I received the below error: Full Path Disclosure: http://www.calicosoft.com/community/index.php?act=sendmessage&to[] Open Directory Listing: http://www.calicosoft.com/community/classes/ What forum is this thread under: http://www.calicosoft.com/community/topic-98-TESTING-TOPIC.html?

Merry Christmas and Happy New Year everyone.

Your main concern should be the exploit I sent to you via PM. It makes it possible to view every file on your server, including database credentials. With that you could easily upload a file with a query to drop the DB.

Sent you a file upload security issue via PM. Full Path Disclosure: http://dev.zext.org/index.php?app=forums&fid[] Full Path Disclosure when uploading an attachment: You also don't state what extensions are valid. PHP Error: http://dev.zext.org/index.php?app=admin PHP Error: http://dev.zext.org/index.php?app=forums&module=post&action=reply&tid=&quote= Quoting code messes up: http://dev.zext.org/index.php?app=forums&module=post&tid=36 I'm receiving the below error message on http://dev.zext.org/index.php?app=forums&module=post&tid=36. I think it's because of the PHP code I added to the post. Quoting doesn't seem to be working. Try to quote this post: http://dev.zext.org/index.php?app=forums&module=post&action=topic&reply=35&quote=74. Commenting on profiles doesn't work. Nothing happens when you press "Submit".

Ive added some test quick replies and they have worked fine. Sorry, I meant when you quote a post by pressing the Quote button. See here: http://asimpleforum.co.uk/t/Testing+Quotes%7C56 and here: http://asimpleforum.co.uk/t/Quotes%7C65. Write multiple lines and then highlight them to use the quote box. It does this this: [quote]Line 1[/quote] [quote]Line 2[/quote] [quote]Line 3[/quote] [quote]Line 4[/quote] [quote]Line 5[/quote] [quote]Line 6[/quote]

You get an error when replying to threads. The quote BBCode messes up when there's multiple lines. Example: http://asimpleforum.co.uk/t/Testing+Quotes%7C56. The code BBCode dosen't work. Quick replies adds this to the input box:

http://www.geoplugin.net/ seems to work well. http://kbeezie.com/view/geolocation-methods-for-free/ lists a few other options also.

When you click "If you wish to create a free acount please click here" and you don't have javascript enabled you get sent to http://www.testcricketmanager.com/error.php. When you register you get this error:

Full Path Disclosure: http://dl.tl/shorten.php?URL[] Full Path Disclosure: http://dl.tl/lengthen.php?short[]