My first CMS

[play_]

So this is my first CMS. I plan on giving it away to clients i freelance to.

 

www.sushii.org  front side

 

This is beta test...so not only am i looking for security holes, but also bugs, so i'll give credentials to admin side..be considerate though.

www.sushii.org/admin/login.php

 

username: [email protected]

password: demo

 

 

If you find anything wrong/bad, please let me know. I think i may release this to opencms.

 

Thank you.

[darkfreaks]

Unsafe Injection:

 

Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION SELECT 1,2,3,4,5,6,7,8,9,10' at line 1

 

when you output variables in links try using urlencode() this helps protect against injection through links.

[play_]

Where did you try to inject? login?

[darkfreaks]

edit.page.php i think

[play_]

Alright i need a bit more info here.

 

Did you try to sqlinject through an input field or the ID variable in the url?

[darkfreaks]

i executed through the url variable

[play_]

urlencode() won't do the trick since it's an int.

 

There, i put a function to check if ID is an int.

Find more please

[darkfreaks]

on all your pages have you used strip_tags(),trim() and htmlspecialchars($var,ENT_QUOTES);

 

this will stop injection i put alert('this is injection') and it popped up a message saying "alert this is injection" so i just ask about this ???

[play_]

Well, i use this:

 

function escape($data) {

return mysql_real_escape_string(trim($data), $this->linkid);

}

[darkfreaks]

you can modify this to fit your llinkid 

 

<?php
function escape($data) {
      return strip_tags(mysql_real_escape_string(trim($data)));
   } ?>

 

 

[aximbigfan]

Doesn't work. there is a dot in the upper left corner, otherwise nothing. (this is in the main page)

 

EDIT: Front end doesn't work either. Log in works, nothing else.

 

Chris

[darkfreaks]

that is because i used the alert function in Javascript to edit the home page

[play_]

Nice.

 

Granted, I have not used regexp to filter input fields. Nice work though. Keep it coming, i'm fixing as you guys break.

 

ps: how did you guys make a page with no name?

[play_]

I had to use htmlspecialchars, not strip_tags because user mihgt want to insert code in the content.

 

But the funny thing is, if i put a ' in front of the page name when editing a page, the main content of the page won't show...? what the heck.

[play_]

Never mind.

 

K guys keep breaking please.

[darkfreaks]

Addpage.php

Page <script>alert('this is injection');</script> has been added!

 

 

 

[play_]

Well all < and > and ''s are converted to <, >, &quot, etc.

 

I want people to be able to use < and ' in their page name if they want to. However as they are converted o their html characters, scripts wont be run.