Forum script test

Warning: mysqli::real_escape_string() expects parameter 1 to be string, array given in /home/calico/public_html/community/classes/user.class.php on line 565

Open Directory Listing:

http://www.calicosoft.com/community/classes/

What forum is this thread under: http://www.calicosoft.com/community/topic-98-TESTING-TOPIC.html?

peter_anderson · December 28, 2011

The Topic field is vulnerable to XSS attacks. I have http://www.calicosoft.com/community/forum-2-Testing-Forum.html redirecting to this thread.

This has been fixed.

I registered with real information and I received the below error:

The script checks the username, email address and IP address against the stopforumspam API. A couple of users have reported it's been giving that error. I'll have a look at it again.

Full Path Disclosure:

http://www.calicosoft.com/community/index.php?act=sendmessage&to[]

This has been fixed, and a custom error handler has been put in place.

Open Directory Listing:
http://www.calicosoft.com/community/classes/

This has been fixed.

Coreye · December 28, 2011

XSS Vulnerability:

If you include code in the subject field it'll execute when replying to a thread. http://www.calicosoft.com/community/index.php?act=reply&tid=104

Slashes are stripped from the subject and can result in blank subjects. The redirect on thread creation will also error.

peter_anderson · December 28, 2011

Both issues fixed.

Coreye · December 28, 2011

Long subjects cause a "Forbidden" permission error.

peter_anderson · December 28, 2011

Also fixed. Subjects are also prevented from being too long without spaces.

Coreye · December 29, 2011

XSS Vulnerability: http://www.calicosoft.com/community/topic-116-ou.html

The "Edit" field is vulnerable to XSS attacks.

XSS Vulnerability: http://www.calicosoft.com/community/downloads-category-4-CalicoKB-Themes-amp-Modifications.html

The "Title" field is vulnerable to XSS attacks.

When you use the "YouTube" BBCode the video doesn't show up and "0" is placed in the content box.

If the subject has "Y" in it the letter is removed.

You get the below error when PMing people who DO exist.

Error: The user you are trying to private message could not be found. Please check that this user exists and you have spelt their username correctly

peter_anderson · December 29, 2011

Fixed the two XSS problems (and found a couple more which have been fixed).

The Youtube JS has also been fixed, I was using & rather than + to join the strings.

I could no replicate the Youtube problem - http://www.calicosoft.com/community/index.php?post=216&tid=118

If you were trying to PM CalicoSoft, that error should occur as I had disabled the PM system. The error text will be changed.

Coreye · December 29, 2011

The script checks the username, email address and IP address against the stopforumspam API. A couple of users have reported it's been giving that error. I'll have a look at it again.

Was this looked into?

I'm now getting:

Error: Sorry, registration cannot proceed. Your details match known spammers the StopForumSpam database. Your username appears in this database. Please try a different username or email.

I tried to register with "Corey" as my username.

peter_anderson · December 29, 2011

Maybe the system should only check email addresses. I'll get that changed.

Here's the API result, BTW: http://stopforumspam.com/api?username=Corey

Sign In

Forum script test

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information