Custom Social Network

[waynew]

Forgive me if it is slow at times. It's on a test shared server that isn't reliable for its db connection speed.

 

http://mytestserver.net78.net/index.php

[Maq]

Do you have a demo login we should use?

[waynew]

Username: Tester

Password: Tester

[waynew]

Give me a second. I have to sort something that I missed out when creating it

[waynew]

Fixed. I had forgot to create the updates table on the test server.

[darkfreaks]

XSS on register.php

DOM was modified by attack string. Field appears to be very vulnerable to XSS String.

Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT>

 

Attack Details: _POST day ,_POST month

[waynew]

Hm,

 

if(isset($_POST['register'])){ 
     echo "<option value=\"".htmlentities($_POST['day'])."\" selected>".htmlentities($_POST['day'])."</option>"; 
} 

 

[Maq]

Those credentials aren't working...at least in all lower-case.  Is it case sensitive?  Because I've used up my 3 attempts and can't try again.

[waynew]

Lol yes, the password was case sensitive. The username isn't.

 

New login:

 

username: testing

password: testing

 

Password is case sensitive.

[Coreye]

I tried to upload a .png image but it just says "Images can only be jpg,jpeg or png".

[waynew]

Sorry. I should have changed the error message. I'm only allowing jpg or gifs. Discrepancy noted. Thanks.

[darkfreaks]

might want to use strip_tags on month/day/year/gender

 

other than that i have nothing.

[corbin]

When you submit a ' in fields on forms, they're spit back to you as \'.

 

 

 

[waynew]

When you submit a ' in fields on forms, they're spit back to you as \'.

 

 

 

 

Magic quotes.

[corbin]

Magic quotes suck.  I would disable them or cancel them out personally.

[waynew]

Oh I know. The server that it will be launched on won't have magic quotes. Thank God. All data that goes into the database is stripped of slashes if magic quotes is enabled. So, I have a bit of a fail safe. I should probably also add it to my output filter. But that might strip slashes that were intentionally put there.

[corbin]

Why not strip the slashes from the $_GET, $_POST, $_COOKIE arrays if get_magic_quotes_gpc() is true?  (At the beginning of each script.)  Then, it's basically like magic quotes is off.

 

 

Or, just disable magic quotes through htaccess.

[waynew]

That's what I have been using. However, say for example, when the user fails to register, I have to ouput their POST variables back into their designated fields so that the user doesn't have to refill everything. My input filter goes a little like:

 

if(get_magic_quotes_gpc() == 1){
$string = stripslashes($string);
}

 

However, those slashes aren't stripped if POST variables are being returned straight back to the page because of an error. Only data that is good to go and allowed into the db gets stripped.

[darkfreaks]

Fixed Code:

<?php
//turn magic quotes off
ini_set("magic_quotes_gpc", "0");
set_magic_quotes_runtime(1); 
function stripper($stringvar){
    if (1 == get_magic_quotes_gpc()){
        $stringvar = stripslashes($stringvar);
    }
    return $stringvar; ?>

[waynew]

The site that it will be on wont have magic quotes so I'm not too worried.

[waynew]

Anything for a usability point of view?