Beta test my script!

adamlacombe · July 15, 2009

I have recently made a script called: Media Script.

I need some beta testers, I haven't seen anything wrong so far but there always is!

Well here's the link to my site: http://media-script.com/index.php

And the link to download it is:

http://media-script.com/Media Script-Beta v1.0.zip

I read the sticky topic but didn't really understand the whole part of post the file and link to you're profile.... :shrug:

But anyways, if you need it.. it should be on on the left of my post where my avatar is...

Daniel0 · July 16, 2009

I read the sticky topic but didn't really understand the whole part of post the file and link to you're profile....

But anyways, if you need it.. it should be on on the left of my post where my avatar is...

The idea is that if you want to request something like a security audit of a website, you must somehow prove ownership. The easiest way to do that is by placing a file whose contents we've chosen on your website. This is to prevent that someone requests something like "hack my site" and then posting another person's website. That has actually happened before.

You don't want beta testing of a website, but a downloadable script, so it doesn't apply here.

xcoderx · July 16, 2009

I so many time ask to beta test my site bt nobody aprove, tel me what must i gv to prove tat my site is mine? Do i write a msg in my site n then wil it b aprovd?

Adam · July 17, 2009

Just put a file on your web server, perhaps "phpfreaks.txt", with your username as the content.

Daniel0 · July 17, 2009

As it's also explained in this sticky (for the record: sticky post = read it!)

Essentially we want you to verify that you are the owner of the website or are otherwise authorized to act on behalf of that owner. An easy way to do this is that you place a file whose content we dictate.

xcoderx · July 17, 2009

Kewl, i sud have read sticky, fa no reason i kept creatin topics. Il upload txt file and also in my site anouncement il write welcome phpfreaks

Daniel0 · July 17, 2009

i sud have read sticky

Yeah maybe you should have ::)

xcoderx · July 17, 2009

Ok i creatd topic and proof is in topic hope nw i get help

adamlacombe · July 23, 2009

Ok..... lol

So... No one wants to test it out for me?

I only have one beta tester :shrug:

There is a new link to the Zip

seventheyejosh · July 23, 2009

I actually helped him with a lot of bugs on this site. I promise nothing, but I'm pretty sure its his

Edit: too busy to look atm, but it is at least alot more visually appealing then before

Coreye · July 23, 2009

Cross Site Scripting (XSS):

http://media-script.com/index.php?action=browsev&cat="><marquee><h1>test

Cross Site Scripting (XSS):

http://media-script.com/index.php?action=addfav&cat="><marquee><h1>test

Cross Site Scripting (XSS):

You can submit ">code and it will execute when using search.

Cross Site Scripting (XSS):

You can submit ">code and it will execute when editing your profile.

You can submit comments for jokes, videos and games that don't exist.

http://media-script.com/index.php?action=joke&id=0

http://media-script.com/index.php?action=video&id=0

http://media-script.com/index.php?action=game&id=0

adamlacombe · August 2, 2009

Ok fixed that, added some strip_tags();

and also fixed:

You can submit comments for jokes, videos and games that don't exist.

New download and demo site,

http://media-script.com/

there will be the links to the different sites.

Anything new that I might have missed or whatever, please let me know!

Thanks!

darkfreaks · August 2, 2009

i get 144 Failures with XSS ME on the test site. to be more clear all the XSS is on your search form.

suggested PHP functions for sanitization:

strip_tags- strips all PHP, javascript and HTML tags unless specified.

trim- trims all white space before and after a string.

mysql_real_escape_string- strips certain characters that usually lead to injection.

darkfreaks · August 2, 2009

also if you are using something like...

<input type="file">

you need to use the form accept attribute to validate through html as well as PHP.

<input type="file" accept="image/jpeg , image/gif">

otherwise it will just assume you can upload any file in html.

a low threat exploit though.

adamlacombe · August 3, 2009

ok,

The search feature im not worried about too much but i'll get around to fixing it soon, but im probably going to use strip_tags, that a good one to use?

If you dont mind, if your on the test site again, you wanna test out the friend section addon (add, remove, and accept)?

I just barely made it and im kind of falling asleep so I have no idea if im missing something lol

darkfreaks · August 3, 2009

should really go back and add strip_tags to profilecp variables. YIM/AIM/first and last.

oh and on the ad joke and shout section as well.

adamlacombe · August 3, 2009

K,

I added strip_tags to the shoutbox, but on the profilecp there are already strip_tags... oh and the same with adding a joke.

Although I did leave the about section in the profilecp without one so people can add html and whatnot.

Should I be using:

mysql_real_escape_string(strip_tags($_POST['whatever']))

or with out mysql_real_escape_string:

strip_tags($_POST['whatever'])

?

darkfreaks · August 3, 2009

try:

<?php
$variable=trim(strip_tags($_POST['whatever']));
$variable.=filter_var($_POST['whatever'],FILTER_SANITIZE_STRING); // works in php5
$variable.=filter_input(INPUT_POST,$_POST['whatever'],FILTER_SANITIZE_SPECIAL_CHARS);// works in php 5
?>

adamlacombe · August 4, 2009

How about using this function? :

function clean_up ($string){
    $string = strip_tags ($string);
    $string = htmlspecialchars ($string, ENT_NOQUOTES);
    $string = stripslashes ($string);
    $string = mysql_real_escape_string($string);
    return $string;
}

That should cut almost anything out of any of the $_GET's and $_POST's, right?

darkfreaks · August 4, 2009

no that will also create a loop.

<?php
function clean ($text){
$text= strip_tags(mysql_real_escape_string(trim($text)));
} //clean function

// use htmlspecialchars when echoing out your variables

echo htmlspecialchars($_POST['blah'],ENT_QUOTES);
?>

also the shout box is fucked again

darkfreaks · August 4, 2009

additionally the add comment section is vunerable to XSS as well

adamlacombe · August 4, 2009

How does it create a loop?

darkfreaks · August 4, 2009

because you are returning $text 6 times or more.

when you only need to return it once.

adamlacombe · August 4, 2009

ooh ok..

I switched the clean_up function, and why the profile comments were vulnerable is bc I had forgot the clean_up();

I got it all fixed up I think now...

EDIT:

Oh and what do you mean by the shout box is fu**ed again?

Whats wrong with it?.. this time lol

darkfreaks · August 4, 2009

ok i will check again

Fields Still Vunerable: post

Fixed: most of cpprofile cept post, change password, add joke

also might want to delete all the XSS in comments/shout the scanner added testing it.

Sign In

Beta test my script!

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information