stevengreen22 Posted April 13, 2011 Share Posted April 13, 2011 Hi guys, I've got this site that a project for uni, the site design is crap and has previously been discussed at lenght:) I'm worried about the security of the site. I'm pretty new to php and so on. I've a member login, registration etc page. I thought it would be okay but I suspect someone has been fking around the many holes there likly is as I received 8 or so new password requests from my own acount. I just don't want the guys that have set up accounts to have any problams and hoping someone can have a look and say what I need to do. I ran the audit php file that one of the guys uploaded and there was a whole lot of red, but unsure how to rectify it. www.webdesignprofessionals.co.uk thanks in advance. I also don't have a .htaccees file, I need to get one sorted. When you find holes coudl you also point me in the right direction on how to solve it. proof txt - http://www.webdesignprofessionals.co.uk/phpproof.txt Link to comment Share on other sites More sharing options...
pastcow Posted April 14, 2011 Share Posted April 14, 2011 Hi, You have a few issues: The activation of user accounts can easily be forged by guessing the activation id. Password resets should send a link with which the user can use to reset their password and not a new password There is SQL injection in some paramaters / forms. Forms are vulnerable to CSRF Password complexity is not enforced Msg me if you want further details. Link to comment Share on other sites More sharing options...
Recommended Posts