unidox Posted April 14, 2008 Share Posted April 14, 2008 It threw this together in a few hours. A project I will be releasing in a few months once I am finished. I only have a few pages working for now, so I would like some feedback and help with my security. Thanks http://pure-cp.com/beta/admin/ User: phpfreaks Pass: phpfreaks Link to comment Share on other sites More sharing options...
Coreye Posted April 14, 2008 Share Posted April 14, 2008 I try to login with the login info above, and get "http://pure-cp.com/beta/admin/login.php?e=4" as the link. Link to comment Share on other sites More sharing options...
unidox Posted April 14, 2008 Author Share Posted April 14, 2008 Fixed, someone abused the user passwords. So I just made it so the username and password dont update in the db. Everything else works though. Link to comment Share on other sites More sharing options...
Coreye Posted April 14, 2008 Share Posted April 14, 2008 Full Path Disclosure: http://pure-cp.com/beta/admin/index.php?p=users&g=a Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 78 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 98 Full Path Disclosure: http://pure-cp.com/beta/admin//pages/users.inc.php Warning: mysql_query() [function.mysql-query]: Access denied for user 'purecp'@'localhost' (using password: NO) in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 6 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 6 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 7 Warning: mysql_query() [function.mysql-query]: Access denied for user 'purecp'@'localhost' (using password: NO) in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 51 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 51 Warning: mysql_query() [function.mysql-query]: Access denied for user 'purecp'@'localhost' (using password: NO) in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 52 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 52 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 54 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 78 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 98 Cross Site Scripting: You can submit ">code when editing there profile. SQL Error when you use ' in edit profile fields. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Test', description = 'j', age = 'j', dob = 'j', country = 'j', location = 'j',' at line 1 Full Path Disclosure: http://pure-cp.com/beta/admin/index.php?p=users&g[] Fatal error: Unsupported operand types in /home/purecp/public_html/beta/admin/pages/users.inc.php on line 26 Link to comment Share on other sites More sharing options...
unidox Posted April 14, 2008 Author Share Posted April 14, 2008 Ok, I will fix. How do I fix: Cross Site Scripting: You can submit ">code when editing there profile. SQL Error when you use ' in edit profile fields. though Link to comment Share on other sites More sharing options...
unidox Posted April 14, 2008 Author Share Posted April 14, 2008 Nvm, I fixed it all. Anything else? Link to comment Share on other sites More sharing options...
Coreye Posted April 15, 2008 Share Posted April 15, 2008 You can delete users, even if they have the same level. I deleted Rusty and Clarky, both we're admins. Link to comment Share on other sites More sharing options...
unidox Posted April 15, 2008 Author Share Posted April 15, 2008 How did you go about doing that? Link to comment Share on other sites More sharing options...
stuffradio Posted April 16, 2008 Share Posted April 16, 2008 I'm also puzzled how he did this, but I love the look of it! Link to comment Share on other sites More sharing options...
unidox Posted April 16, 2008 Author Share Posted April 16, 2008 Thanks, I just added search feature. So if you could try and xss that and tell me how to improve. I am open to any tips/ideas. Link to comment Share on other sites More sharing options...
Zhadus Posted April 16, 2008 Share Posted April 16, 2008 I love the look of it, couldn't find any easy exploits. One quick suggestion, put a timestamp for last counter reset on the site views. Link to comment Share on other sites More sharing options...
unidox Posted April 17, 2008 Author Share Posted April 17, 2008 I added that feature. Anything else? Link to comment Share on other sites More sharing options...
unidox Posted April 19, 2008 Author Share Posted April 19, 2008 I just added the group section, working on access levels now. Any suggestions, tips, errors? Link to comment Share on other sites More sharing options...
FlyingIsFun1217 Posted April 21, 2008 Share Posted April 21, 2008 All I see is that your access links (at the top, modules, log out, etc.) usually don't do anything (well, except for log out). FlyingIsFun1217 Link to comment Share on other sites More sharing options...
unidox Posted April 21, 2008 Author Share Posted April 21, 2008 All I see is that your access links (at the top, modules, log out, etc.) usually don't do anything (well, except for log out). FlyingIsFun1217 What? Link to comment Share on other sites More sharing options...
FlyingIsFun1217 Posted April 21, 2008 Share Posted April 21, 2008 I was mistaken. The ones that don't work are Modules, Pages, Look & Feel, and Support. FlyingIsFun1217 Link to comment Share on other sites More sharing options...
unidox Posted April 21, 2008 Author Share Posted April 21, 2008 I know, I havnt done those pages yet. Link to comment Share on other sites More sharing options...
FlyingIsFun1217 Posted April 22, 2008 Share Posted April 22, 2008 Didn't know. Nice work, by the way FlyingIsFun1217 Link to comment Share on other sites More sharing options...
unidox Posted April 22, 2008 Author Share Posted April 22, 2008 Thanks, anything I should add? Link to comment Share on other sites More sharing options...
Coreye Posted April 22, 2008 Share Posted April 22, 2008 Your server/hosting seems to be having problems. I get this when going to your site: Warning: session_start() [function.session-start]: open(/path/sess_aac98fafac0286615aeca2c978930efb, O_RDWR) failed: No such file or directory (2) in /home/purecp/public_html/beta/admin/process.php on line 2 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/purecp/public_html/beta/admin/process.php:2) in /home/purecp/public_html/beta/admin/process.php on line 2 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/purecp/public_html/beta/admin/process.php:2) in /home/purecp/public_html/beta/admin/process.php on line 2 Warning: Cannot modify header information - headers already sent by (output started at /home/purecp/public_html/beta/admin/process.php:2) in /home/purecp/public_html/beta/admin/process.php on line 4 Warning: Cannot modify header information - headers already sent by (output started at /home/purecp/public_html/beta/admin/process.php:2) in /home/purecp/public_html/beta/admin/index.php on line 19 Warning: Unknown: open(/path/sess_aac98fafac0286615aeca2c978930efb, O_RDWR) failed: No such file or directory (2) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (N;/path) in Unknown on line 0 Link to comment Share on other sites More sharing options...
unidox Posted April 22, 2008 Author Share Posted April 22, 2008 Fixed Link to comment Share on other sites More sharing options...
unidox Posted May 14, 2008 Author Share Posted May 14, 2008 Just added the news page. Test? Link to comment Share on other sites More sharing options...
Coreye Posted May 14, 2008 Share Posted May 14, 2008 SQL Error: http://pure-cp.com/beta/admin/index.php?p=pages&s=news&a=edit&id=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1 Link to comment Share on other sites More sharing options...
unidox Posted May 15, 2008 Author Share Posted May 15, 2008 Fixed. Link to comment Share on other sites More sharing options...
corbin Posted May 15, 2008 Share Posted May 15, 2008 When you first login, Last Login IP is the current IP, not last. (If you hid it on purpose for testing, that's cool I guess since I would rather people not know my IP ;p.) I think you should sort the News posts descending. Only things I found.... Didn't do any deep digging though. Link to comment Share on other sites More sharing options...
Recommended Posts