R4nk3d Posted October 24, 2008 Share Posted October 24, 2008 hey guys. i just made a content management system this week and for me, its pretty decent. Can you please check it out, tell me if there are any errors in it, etc. Things i should maybe change. Thanks! The site is: http://www.parkerandsonsservices.com. It is a website i am making for my dad's company. I am wanting suggestions on the scripting, not designing please. I know im terribad at designing. Go to http://www.parkerandsonsservices.com/admin/ to access the admin panel. Username: test Password: test Please keep everything clean. And dont spam anything, or delete the already made pages that i have created which include: Home, Services, Testimonials, Photos, Quotes, Contact. Thanks Link to comment Share on other sites More sharing options...
Coreye Posted October 24, 2008 Share Posted October 24, 2008 Use BBCode instead of allowing HTML. Link to comment Share on other sites More sharing options...
R4nk3d Posted October 24, 2008 Author Share Posted October 24, 2008 I am going to soon, its still in the beta version so thats not added on yet. Link to comment Share on other sites More sharing options...
GKWelding Posted October 24, 2008 Share Posted October 24, 2008 where you have index.php?id=1 or 2 or 3 etc... You need to make sure that if that value is passed to a MySQL query, which I'm sure it will be, that in the MySQL query the numeric value is quoted with single quotes and that the value is checked to be an integer. If it isn't then even if you use mysql_real_escape_string I could still be able to pass commands such as index.php?id=;%20TRUNCATE%20TABLE users%20-- which would bypass the real_escape_string as there are no illegal characters in it, and it would empty your users table etc... Link to comment Share on other sites More sharing options...
R4nk3d Posted October 24, 2008 Author Share Posted October 24, 2008 ok thanks for that. yeah, i started learning the security crap a little bit ago so i will work on that Link to comment Share on other sites More sharing options...
R4nk3d Posted October 25, 2008 Author Share Posted October 25, 2008 For whoever deleted all of the pages and news, fuck u. read what i fucking say and dont fuck with someone else's site. Link to comment Share on other sites More sharing options...
GKWelding Posted October 25, 2008 Share Posted October 25, 2008 R4nked, sorry about that, maybe I should have private messaged you with that potential vulnerability rather than posting it here, some people on here can be idiots and I just didn't think. Link to comment Share on other sites More sharing options...
R4nk3d Posted October 25, 2008 Author Share Posted October 25, 2008 its alright, i can recreate them in 10 seconds but im just pissed they deleted them. Link to comment Share on other sites More sharing options...
Daniel0 Posted October 26, 2008 Share Posted October 26, 2008 The deletion functionality is vulnerable to CSRF attacks. You can solve this using a token and validating it on the deletion request. See: http://www.phpfreaks.com/tutorial/php-security/page8 Link to comment Share on other sites More sharing options...
R4nk3d Posted October 26, 2008 Author Share Posted October 26, 2008 The deletion functionality is vulnerable to CSRF attacks. You can solve this using a token and validating it on the deletion request. See: http://www.phpfreaks.com/tutorial/php-security/page8 Ok thanks. and thanks a ton for the link. that really helped. thanks to all of u for helping me on security cause thats definatly a weakness for me. Link to comment Share on other sites More sharing options...
dezkit Posted October 27, 2008 Share Posted October 27, 2008 R4nk3d, you got to use another template, man. Link to comment Share on other sites More sharing options...
R4nk3d Posted October 27, 2008 Author Share Posted October 27, 2008 I am wanting suggestions on the scripting, not designing please. I know im terribad at designing. ^^ Link to comment Share on other sites More sharing options...
darkfreaks Posted October 28, 2008 Share Posted October 28, 2008 you are pretty much good i just scanned with a good scanner of mine you can mark this as solved Link to comment Share on other sites More sharing options...
dropfaith Posted October 29, 2008 Share Posted October 29, 2008 xss attacks http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss in fact i can directly ad this <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> ps that script is just an xss pop up that says your site doesnt block xss Link to comment Share on other sites More sharing options...
R4nk3d Posted October 29, 2008 Author Share Posted October 29, 2008 xss attacks http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss in fact i can directly ad this <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> ps that script is just an xss pop up that says your site doesnt block xss dont fucking delete my homepage u cunt Link to comment Share on other sites More sharing options...
darkfreaks Posted October 29, 2008 Share Posted October 29, 2008 http://kallahar.com/smallprojects/php_xss_filter_function.php this function when called properly will strip out XSS attacks Link to comment Share on other sites More sharing options...
dropfaith Posted October 29, 2008 Share Posted October 29, 2008 i didnt in fact i told you the script only makes a pop up that states that xss is possible http://ha.ckers.org/xss.html xss security site gigving examples of things you can do with xss and such but yeah nothing i did would delete the pages Link to comment Share on other sites More sharing options...
R4nk3d Posted October 29, 2008 Author Share Posted October 29, 2008 k, nbm sorry, i thought u did it because it said i deleted it. thought u created that page. Link to comment Share on other sites More sharing options...
dropfaith Posted October 29, 2008 Share Posted October 29, 2008 nah i use that test script on all my sites for xss attacks i generally block html to avoid them as well as some other functions Link to comment Share on other sites More sharing options...
waynewex Posted November 4, 2008 Share Posted November 4, 2008 xss attacks http://www.parkerandsonsservices.com/index.php?id=27 is the one i just did just a pop up that says xss in fact i can directly ad this <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> ps that script is just an xss pop up that says your site doesnt block xss dont fucking delete my homepage u cunt LOLOLOLOLOLOLOLOLOLOLOL Link to comment Share on other sites More sharing options...
Recommended Posts