Please help test the loop holes.

[xcoderx]

Ok first the prøöf its my site www.discussonline.in/rap/index.html and now my script www.discussonline.in/rap/index.php problem some people are being able to give themself the owner previlage and destroy things from site with owner tools, they manage to get into my id when im online but somehow grabs my session, i need help finding the holes and guidance to block the damn hacking.

[xcoderx]

One request please do not hijack or delete anything from my server other than this script :-) n thanks.

[xcoderx]

Wow not one single person helped or replied to my topic.

[darkfreaks]

seems pretty solid to me

[xcoderx]

Lol bro its not. Its very much liquid

[lynxus]

Seems ok here also.

Are you sure your not using just a weak password?

make sure your forms do a lot of error checking.

 

Cant really comment much more without seeing the code.

Seems ok to me though.

[darkfreaks]

checked his backend he needs to make sure he puts htmlspecialchars when he echoes stuff out

 

example:

 

<?php
echo htmlspecialchars($sid); ?>

 

also some of the echoes need to go its redundant to use echo echo for 800 lines.

 

also i noticed the lack of  sanitization used such as trim(),mysql_real_escape_string()

 

 

 

[xcoderx]

No am not using any weak password and yes i have not used real escape strings either so yes that must be a weak point too. 

[waynew]

xcoderx, PM me if you want me to take a look at your code. I've also noticed that one minute I'm logged in and the next I'm logged out? Are you using session_start() on everypage?

[darkfreaks]

weird i never get logged out. i really hope he patched his CSRF issue where users were allowed to upload visual basic and javascript files. and also picture linking to non piture files.

[xcoderx]

hiya wayne yup bro am using sessiön at every page and also i set time for session to expire from my owner panel. But as dark freaks said it was al related with the image uploading n yup also real escape strings were lacking, the hackers got thru my session throut profile avatar link that i gave, thy put an external link to an reèral link, so everytime i visit a profile of a hacker they get my session and ruin it al pmpl, am working on it now and tryin to fix em al, i shiftd my script to another dir fa the time being.