DeepSeek π€ Posted October 24, 2008 Share Posted October 24, 2008 hey guys. i just made a content management system this week and for me, its pretty decent. Can you please check it out, tell me if there are any errors in it, etc. Things i should maybe change. Thanks! Β The site is: http://www.parkerandsonsservices.com. It is a website i am making for my dad's company. I am wanting suggestions on the scripting, not designing please. I know im terribad at designing. Go to http://www.parkerandsonsservices.com/admin/ to access the admin panel. Username: test Password: test Please keep everything clean. And dont spam anything, or delete the already made pages that i have created which include: Home, Services, Testimonials, Photos, Quotes, Contact. Β Thanks Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/ Share on other sites More sharing options...
DeepSeek π€ Posted October 24, 2008 Share Posted October 24, 2008 Use BBCode instead of allowing HTML. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-673393 Share on other sites More sharing options...
DeepSeek π€ Posted October 24, 2008 Author Share Posted October 24, 2008 I am going to soon, its still in the beta version so thats not added on yet. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-673582 Share on other sites More sharing options...
Mistral π€ Posted October 24, 2008 Share Posted October 24, 2008 where you have index.php?id=1 or 2 or 3 etc... You need to make sure that if that value is passed to a MySQL query, which I'm sure it will be, that in the MySQL query the numeric value is quoted with single quotes and that the value is checked to be an integer. If it isn't then even if you use mysql_real_escape_string I could still be able to pass commands such as index.php?id=;%20TRUNCATE%20TABLE users%20-- which would bypass the real_escape_string as there are no illegal characters in it, and it would empty your users table etc... Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-673704 Share on other sites More sharing options...
DeepSeek π€ Posted October 24, 2008 Author Share Posted October 24, 2008 ok thanks for that. yeah, i started learning the security crap a little bit ago so i will work on that Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-674044 Share on other sites More sharing options...
DeepSeek π€ Posted October 25, 2008 Author Share Posted October 25, 2008 For whoever deleted all of the pages and news, fuck u. read what i fucking say and dont fuck with someone else's site. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-674534 Share on other sites More sharing options...
Mistral π€ Posted October 25, 2008 Share Posted October 25, 2008 R4nked, sorry about that, maybe I should have private messaged you with that potential vulnerability rather than posting it here, some people on here can be idiots and I just didn't think. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-674597 Share on other sites More sharing options...
DeepSeek π€ Posted October 25, 2008 Author Share Posted October 25, 2008 its alright, i can recreate them in 10 seconds but im just pissed they deleted them. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-674635 Share on other sites More sharing options...
DeepSeek π€ Posted October 26, 2008 Share Posted October 26, 2008 The deletion functionality is vulnerable to CSRF attacks. You can solve this using a token and validating it on the deletion request. See: http://www.phpfreaks.com/tutorial/php-security/page8 Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-674956 Share on other sites More sharing options...
DeepSeek π€ Posted October 26, 2008 Author Share Posted October 26, 2008 The deletion functionality is vulnerable to CSRF attacks. You can solve this using a token and validating it on the deletion request. See: http://www.phpfreaks.com/tutorial/php-security/page8 Ok thanks. and thanks a ton for the link. that really helped.Β Β thanks to all of u for helping me on security cause thats definatly a weakness for me. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-675060 Share on other sites More sharing options...
Perplexity π€ Posted October 27, 2008 Share Posted October 27, 2008 R4nk3d, you got to use another template, man. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-675395 Share on other sites More sharing options...
DeepSeek π€ Posted October 27, 2008 Author Share Posted October 27, 2008 I am wanting suggestions on the scripting, not designing please. I know im terribad at designing. ^^ Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-675489 Share on other sites More sharing options...
DeepSeek π€ Posted October 28, 2008 Share Posted October 28, 2008 you are pretty much good i just scanned with a good scanner of mine you can mark this as solved Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677040 Share on other sites More sharing options...
Claude π€ Posted October 29, 2008 Share Posted October 29, 2008 xss attacks Β http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss Β in fact i can directly ad this Β <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> Β ps that script is just an xss pop up that says your site doesnt block xss Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677047 Share on other sites More sharing options...
DeepSeek π€ Posted October 29, 2008 Author Share Posted October 29, 2008 xss attacks Β http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss Β in fact i can directly ad this Β <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> Β ps that script is just an xss pop up that says your site doesnt block xss dont fucking delete my homepage u cunt Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677049 Share on other sites More sharing options...
DeepSeek π€ Posted October 29, 2008 Share Posted October 29, 2008 http://kallahar.com/smallprojects/php_xss_filter_function.php Β this function when called properly will strip out XSS attacks Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677050 Share on other sites More sharing options...
Claude π€ Posted October 29, 2008 Share Posted October 29, 2008 i didnt in fact i told you the script only makes a pop up that states that xss is possible Β http://ha.ckers.org/xss.html xss security site gigving examples of things you can do with xss and such Β but yeah nothing i did would delete the pages Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677051 Share on other sites More sharing options...
DeepSeek π€ Posted October 29, 2008 Author Share Posted October 29, 2008 k, nbm sorry, i thought u did it because it said i deleted it. thought u created that page. Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677060 Share on other sites More sharing options...
Claude π€ Posted October 29, 2008 Share Posted October 29, 2008 nah i use that test script on all my sites for xss attacksΒ Β i generally block html to avoid them as well as some other functions Β Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-677062 Share on other sites More sharing options...
ChatGPT π€ Posted November 4, 2008 Share Posted November 4, 2008 xss attacks Β http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss Β in fact i can directly ad this Β <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> Β ps that script is just an xss pop up that says your site doesnt block xss dont fucking delete my homepage u cunt Β Β LOLOLOLOLOLOLOLOLOLOLOL Link to comment https://forums.phpfreaks.com/topic/129885-solved-beta-test-my-cms-please-d/#findComment-682096 Share on other sites More sharing options...
Recommended Posts