OneEyedWillie Posted June 29, 2011 Share Posted June 29, 2011 Hello all, Me and my friend are developing a browser based HTML/PHP game. It is called IsleWar and based off of Islandor. We currently have register, login, account management, profiles, ranking, and mail working. The next stages is to actually start on the game. I also have made an admin panel and a ban script. If you would like to test the username ban and try to get around it, the username is: TestBan password: testban Here is the website: http://www.islewar.us/ here is the URL containing my profile: http://www.islewar.us/verify.txt Please tell me everything you find. If it's easier for you, I installed a bug reporting script at http://www.islewar.us/bugs Thanks!! Link to comment Share on other sites More sharing options...
gizmola Posted June 30, 2011 Share Posted June 30, 2011 I tested a few things, and you're not doing anything with formatting of columns in the profile, as I was for example able to make birthday the string: "Birthday". You are not filtering input it seems. Go look at the phpftester profile and you'll see an xss exploit in the "slogan". I tested a bit of your session stuff, and that seemed to be ok. Tried some sql injections with no success. In the mail system, I was able to mail to myself. Putting garbage in the To: leaks an error: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in , so that indicates that you're not assigning the result of your insert query to a variable and checking it before you try mysql_num_rows(). The design is pretty bland, but I'm sure you're going to work on that. It's a game, and the design should reflect that. Link to comment Share on other sites More sharing options...
OneEyedWillie Posted June 30, 2011 Author Share Posted June 30, 2011 Alright.. I think I fixed all the things you've mentioned. Firstly: I limited the birthday characters to only use 0-9, period, and the dash. For the slogan I added htmlentities(). So if someone does enter html it shows it, not executes it. For the mail I put in a character check to ensure that it follows the same rules as usernames. If that checks out good, then it uses mysql_num_rows to check for a user. If it returns 0, then it says there isn't a user by that name. If it returns 1, then it proceeds to send the message. Now that I think about it, I should add htmlentities() to the mail as well so people aren't sending each other random html. (Edit: It already has strip_tags()) Thanks for checking out my site! Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted July 1, 2011 Share Posted July 1, 2011 I tried the forgot my password function and i was able to key in any data in it and i will still show this, maybe you want to fix that: Register Account[/size]Your password has been reset. Please check your email to retrieve your new password. Then you may login.Once you've logged in, please change your password.[/color]© 2011 optimuspi ( ! )[/size] Warning: mail() [function.mail]: SMTP server response: 550 Unknown user in C:\ROOT\wamp\www\IsleWar\forgotpassword-exec.php on line 67Call Stack#TimeMemoryFunctionLocation10.0012690720{main}( )..\forgotpassword-exec.php:020.0108709208mail ( )..\forgotpassword-exec.php:67 Link to comment Share on other sites More sharing options...
OneEyedWillie Posted July 1, 2011 Author Share Posted July 1, 2011 I tried the forgot my password function and i was able to key in any data in it and i will still show this, maybe you want to fix that: Register Account[/size]Your password has been reset. Please check your email to retrieve your new password. Then you may login.Once you've logged in, please change your password.[/color]© 2011 optimuspi ( ! )[/size] Warning: mail() [function.mail]: SMTP server response: 550 Unknown user in C:\ROOT\wamp\www\IsleWar\forgotpassword-exec.php on line 67Call Stack#TimeMemoryFunctionLocation10.0012690720{main}( )..\forgotpassword-exec.php:020.0108709208mail ( )..\forgotpassword-exec.php:67 May I ask the extention of the email you user? ex: @gmail.com Sometimes it does that if you use a weird email.. If not, I'll look into it. Thanks Link to comment Share on other sites More sharing options...
OneEyedWillie Posted July 1, 2011 Author Share Posted July 1, 2011 The reason that was coming up, is because you weren't using a valid email. I added php form validation to that page, so it shouldn't happen anymore. Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted July 2, 2011 Share Posted July 2, 2011 i purposely did that to check if you have properly code your forgot password page. you should check if the input email is in your database else echo that account cannot be found. Link to comment Share on other sites More sharing options...
Recommended Posts