Jump to content

Forum script test


peter_anderson

Recommended Posts

The Topic field is vulnerable to XSS attacks. I have http://www.calicosoft.com/community/forum-2-Testing-Forum.html redirecting to this thread.

kvIvE.png

 

I registered with real information and I received the below error:

DQYAt.png

 

Full Path Disclosure:

http://www.calicosoft.com/community/index.php?act=sendmessage&to[]

Warning: mysqli::real_escape_string() expects parameter 1 to be string, array given in /home/calico/public_html/community/classes/user.class.php on line 565

 

Open Directory Listing:

http://www.calicosoft.com/community/classes/

 

What forum is this thread under: http://www.calicosoft.com/community/topic-98-TESTING-TOPIC.html?

 

Link to comment
Share on other sites

The Topic field is vulnerable to XSS attacks. I have http://www.calicosoft.com/community/forum-2-Testing-Forum.html redirecting to this thread.

 

This has been fixed.

 

I registered with real information and I received the below error:

 

The script checks the username, email address and IP address against the stopforumspam API. A couple of users have reported it's been giving that error. I'll have a look at it again.

 

 

This has been fixed, and a custom error handler has been put in place.

 

 

This has been fixed.

Link to comment
Share on other sites

XSS Vulnerability: http://www.calicosoft.com/community/topic-116-ou.html

The "Edit" field is vulnerable to XSS attacks.

hEvEB.png

 

XSS Vulnerability: http://www.calicosoft.com/community/downloads-category-4-CalicoKB-Themes-amp-Modifications.html

The "Title" field is vulnerable to XSS attacks.

DqfMP.png

 

When you use the "YouTube" BBCode the video doesn't show up and "0" is placed in the content box.

 

If the subject has "Y" in it the letter is removed.

n8Fsw.png

 

You get the below error when PMing people who DO exist.

Error: The user you are trying to private message could not be found. Please check that this user exists and you have spelt their username correctly
Link to comment
Share on other sites

Fixed the two XSS problems (and found a couple more which have been fixed).

The Youtube JS has also been fixed, I was using & rather than + to join the strings.

I could no replicate the Youtube problem - http://www.calicosoft.com/community/index.php?post=216&tid=118

If you were trying to PM CalicoSoft, that error should occur as I had disabled the PM system. The error text will be changed.

Link to comment
Share on other sites

The script checks the username, email address and IP address against the stopforumspam API. A couple of users have reported it's been giving that error. I'll have a look at it again.

Was this looked into?

 

I'm now getting:

Error: Sorry, registration cannot proceed. Your details match known spammers the StopForumSpam database. Your username appears in this database. Please try a different username or email.

I tried to register with "Corey" as my username.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.