Mistral π€ Posted December 17, 2008 Share Posted December 17, 2008 So this is my first CMS. I plan on giving it away to clients i freelance to. Β www.sushii.orgΒ front side Β This is beta test...so not only am i looking for security holes, but also bugs, so i'll give credentials to admin side..be considerate though. www.sushii.org/admin/login.php Β username: [email protected] password: demo Β Β If you find anything wrong/bad, please let me know. I think i may release this to opencms. Β Thank you. Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/ Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 Unsafe Injection: Β Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION SELECT 1,2,3,4,5,6,7,8,9,10' at line 1 Β when you output variables in links try using urlencode() this helps protect against injection through links. Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718293 Share on other sites More sharing options...
Mistral π€ Posted December 17, 2008 Author Share Posted December 17, 2008 Where did you try to inject? login? Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718294 Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 edit.page.php i think Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718296 Share on other sites More sharing options...
Mistral π€ Posted December 17, 2008 Author Share Posted December 17, 2008 Alright i need a bit more info here. Β Did you try to sqlinject through an input field or the ID variable in the url? Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718298 Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 i executed through the url variable Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718300 Share on other sites More sharing options...
Mistral π€ Posted December 17, 2008 Author Share Posted December 17, 2008 urlencode() won't do the trick since it's an int. Β There, i put a function to check if ID is an int. Find more please Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718304 Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 on all your pages have you used strip_tags(),trim() and htmlspecialchars($var,ENT_QUOTES); Β this will stop injection i put alert('this is injection') and it popped up a message saying "alert this is injection" so i just ask about this ??? Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718316 Share on other sites More sharing options...
Mistral π€ Posted December 17, 2008 Author Share Posted December 17, 2008 Well, i use this: Β function escape($data) { return mysql_real_escape_string(trim($data), $this->linkid); } Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718320 Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 you can modify this to fit your llinkidΒ Β <?php function escape($data) { Β Β Β return strip_tags(mysql_real_escape_string(trim($data))); Β } ?> Β Β Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718327 Share on other sites More sharing options...
Mistral π€ Posted December 17, 2008 Share Posted December 17, 2008 Doesn't work. there is a dot in the upper left corner, otherwise nothing. (this is in the main page) Β EDIT: Front end doesn't work either. Log in works, nothing else. Β Chris Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718333 Share on other sites More sharing options...
DeepSeek π€ Posted December 17, 2008 Share Posted December 17, 2008 that is because i used the alert function in Javascript to edit the home page Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718334 Share on other sites More sharing options...
Mistral π€ Posted December 18, 2008 Author Share Posted December 18, 2008 Nice. Β Granted, I have not used regexp to filter input fields. Nice work though. Keep it coming, i'm fixing as you guys break. Β ps: how did you guys make a page with no name? Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718388 Share on other sites More sharing options...
Mistral π€ Posted December 18, 2008 Author Share Posted December 18, 2008 I had to use htmlspecialchars, not strip_tags because user mihgt want to insert code in the content. Β But the funny thing is, if i put a ' in front of the page name when editing a page, the main content of the page won't show...? what the heck. Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718394 Share on other sites More sharing options...
Mistral π€ Posted December 18, 2008 Author Share Posted December 18, 2008 Never mind. Β K guys keep breaking please. Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718406 Share on other sites More sharing options...
DeepSeek π€ Posted December 18, 2008 Share Posted December 18, 2008 Addpage.php Page <script>alert('this is injection');</script> has been added! Β Β Β Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718411 Share on other sites More sharing options...
Mistral π€ Posted December 18, 2008 Author Share Posted December 18, 2008 Well all < and > and ''s are converted to <, >, ", etc. Β I want people to be able to use < and ' in their page name if they want to. However as they are converted o their html characters, scripts wont be run. Link to comment https://forums.phpfreaks.com/topic/137454-my-first-cms/#findComment-718486 Share on other sites More sharing options...
Recommended Posts