BA - Beta Testing

Twister1004 · February 24, 2012

I am needing testing of the website's vulnerabilities.

PLEASE NOTE: I have VERY VERY little experience to secure websites. Which is why I would like to do this.

If you find a security vulnerability, could you let me know and also mention how to fix it as well. I will be doing research for it, but I would still like user input.

Also, this website is completely clean and only has certain data on it. Also, please feel free to use anything at your fingertips. You will not be able to crash anything of my personal property.

Thank you very much.

Best Regards and have fun trashing my site

URL: http://projecta.ulmb.com

URL to required text file: http://projecta.ulmb.com/test.txt

Again I would like to thank anyone who helps me secure the site by your input!

Coreye · February 25, 2012

You should remove all of the ad pop ups until testing is done.

Cross Site Scripting (XSS):

You can submit code on comments and it'll execute.

http://projecta.ulmb.com/news.php?NUID=13

Cross Site Scripting (XSS):

You can submit code in profile fields and it'll execute.

http://projecta.ulmb.com/profile.php?p=4

MySQL Error:

http://projecta.ulmb.com/profile.php?p='

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /hosted/subs/ulmb.com/p/r/projecta/public_html/inc/functions.php on line 257

Full Path Disclosure:

http://projecta.ulmb.com/news.php?NUID[]

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 4
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 26

Twister1004 · February 26, 2012

You should remove all of the ad pop ups until testing is done.

Cross Site Scripting (XSS):

You can submit code on comments and it'll execute.

http://projecta.ulmb.com/news.php?NUID=13

Cross Site Scripting (XSS):

You can submit code in profile fields and it'll execute.

http://projecta.ulmb.com/profile.php?p=4

MySQL Error:

http://projecta.ulmb.com/profile.php?p='

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /hosted/subs/ulmb.com/p/r/projecta/public_html/inc/functions.php on line 257

Full Path Disclosure:

http://projecta.ulmb.com/news.php?NUID[]

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 4
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 26

I have fixed those problems, so those problems should be fixed =)!

Thank you for testing the website for me!

Also, for the pop-ups, I have no control about that. The web server I am using automatically pops those up. I'm buying a web server in a day or so.

kicken · February 26, 2012

When you get it on a new server post back and I will look at it more. For now, the ads are far too annoying to do any kind of serious testing. I was getting popups / overlays on every single page load.

RobertP · February 26, 2012

1. email address validation is missing, i created an account with email = 11

2. possible to register LINK while you are logged in.

3. xss (true) http://projecta.ulmb.com/news.php?NUID=11

4. possible to comment on posts that do not exist, and check the length of comments. http://projecta.ulmb.com/news.php?NUID=9999

5. on link http://projecta.ulmb.com/admin/ your refresh meta is not inside the head tag, so it dosnt work. well i am using chrome.

 <meta http-equiv="refresh" content="2 url='../'"/>

Twister1004 · February 26, 2012

When you get it on a new server post back and I will look at it more. For now, the ads are far too annoying to do any kind of serious testing. I was getting popups / overlays on every single page load.

The Webserver is set up finally!

The address is: http://artistbeginnings.com

There is also NO ADS... yet anyways.

1. email address validation is missing, i created an account with email = 11

2. possible to register LINK while you are logged in.

3. xss (true) http://projecta.ulmb.com/news.php?NUID=11

4. possible to comment on posts that do not exist, and check the length of comments. http://projecta.ulmb.com/news.php?NUID=9999

5. on link http://projecta.ulmb.com/admin/ your refresh meta is not inside the head tag, so it dosnt work. well i am using chrome.
 <meta http-equiv="refresh" content="2 url='../'"/>

I just went through all of the items you mentioned, and I have fixed them from as far as I can tell.

If you find anymore errors at all, please let me know.

Thank you again for testing the website!

kicken · March 1, 2012

Your register form should re-populate the fields with the values when there is a validation error. Having to re-fill the form is annoying and will deter people from registering.

Your age calculation seems to be a tiny bit off. I was able to register successfully with a birthday that would make me 12 years old, not 13 like your error says you require.

When registration is successful, you should not show the registration form, and your message saying it was successful could be a bit bigger. Also:

Your account was successfully created.

Please wait at least one(1) minute before you log into your account.

Why? If they have to wait for an email confirmation, say that, don't just say wait one minute. If there is some other reason for the wait, it sounds like something you need to fix, not just ask people to wait.

When posting comments, you seem to have some issues with slashes. I posted the comment:

We say, "Welcome, O'neill!"

<a href="/"> / </a>

And what got posted was:

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n /

(or as the html)

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n<a href="\\\"/\\\""> / </a>

You are still vulnerable to XSS attacks in your comment area, see the comment here, from batest. Click the link asdf

If I try and use the password recovery page, it tells me the birthday is invalid, even though I am entering the one i used on the registration page.

Twister1004 · March 4, 2012

Your register form should re-populate the fields with the values when there is a validation error. Having to re-fill the form is annoying and will deter people from registering.

Your age calculation seems to be a tiny bit off. I was able to register successfully with a birthday that would make me 12 years old, not 13 like your error says you require.

When registration is successful, you should not show the registration form, and your message saying it was successful could be a bit bigger. Also:

Your account was successfully created.

Please wait at least one(1) minute before you log into your account.

Why? If they have to wait for an email confirmation, say that, don't just say wait one minute. If there is some other reason for the wait, it sounds like something you need to fix, not just ask people to wait.

When posting comments, you seem to have some issues with slashes. I posted the comment:

We say, "Welcome, O'neill!"

<a href="/"> / </a>

And what got posted was:

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n /

(or as the html)

We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n<a href="\\\"/\\\""> / </a>

You are still vulnerable to XSS attacks in your comment area, see the comment here, from batest. Click the link asdf

If I try and use the password recovery page, it tells me the birthday is invalid, even though I am entering the one i used on the registration page.

I also noticed some more security vulnerabilities, and fixed them in the process as well. The registration suggestions and issues, I have fixed. Although I'm not sure why it accepted someone at 2000, I tried and it only allowed 1999 or older. The comments, I will fix in time. I'm not sure exactly why its doing that. It shouldn't be adding that many slashes. However, I'll fix it once I can figure out the cause.

I will have to read more on XSS attacks then...

I really appreciate your help, I really do!

RobertP · March 5, 2012

use stripslashes when you echo out your message from your database

Pikachu2000 · March 5, 2012

There should be no reason to use stripslashes() on data coming from the database. If the data is being stored with escaping slashes, then something is wrong with the way it's being inserted to begin with, and that is what should be fixed.

RobertP · March 5, 2012

then use htmlspecialchars on the message just before inserting it into the database.

Pikachu2000 · March 5, 2012

No, the problem is that the data is being escaped more than once. The OP needs to figure out why that's happening, whether it's due to magic_quotes_gpc() being ON, or just redundant/unnecessary code and correct the problem.

Twister1004 · March 5, 2012

use stripslashes when you echo out your message from your database

There should be no reason to use stripslashes() on data coming from the database. If the data is being stored with escaping slashes, then something is wrong with the way it's being inserted to begin with, and that is what should be fixed.

I am using stripslashes() upon output. However there seems to be an extra slash that it is not removing.

then use htmlspecialchars on the message just before inserting it into the database.

htmlspecialchars() will not fix this issue. It is more than likely due to what Pikachu2000 has said.

No, the problem is that the data is being escaped more than once. The OP needs to figure out why that's happening, whether it's due to magic_quotes_gpc() being ON, or just redundant/unnecessary code and correct the problem.

As far as I am aware, I am not using magic_quotes_gpc(). I am using mysql_real_escape_string(). I also just found out, I am using it more than once as well. So I will be spending my time formatting the site again with my functions.

Pikachu2000 · March 5, 2012

You wouldn't "use" magic_quotes_gpc(), per se. You do need to either ensure it's off by setting the directive in the php.ini file, or check for it with get_magic_quotes_gpc, then if it's on (and ONLY if it's on) you'd run stripslashes() on the incoming form data before escaping it. So it would be a function something like this:

function MAGIC_QUOTES_GPC_SUCKS($data) {
if( get_magic_quotes_gpc() === TRUE ) {
	$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}

Obviously, you'd need to add a check to make sure you didn't pass an array to the function, or change it to work with arrays.

Twister1004 · March 15, 2012

You wouldn't "use" magic_quotes_gpc(), per se. You do need to either ensure it's off by setting the directive in the php.ini file, or check for it with get_magic_quotes_gpc, then if it's on (and ONLY if it's on) you'd run stripslashes() on the incoming form data before escaping it. So it would be a function something like this:
function MAGIC_QUOTES_GPC_SUCKS($data) {
if( get_magic_quotes_gpc() === TRUE ) {
	$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}
Obviously, you'd need to add a check to make sure you didn't pass an array to the function, or change it to work with arrays.

So basically if Magic quotes is on, I do NOT need to run mysql_real_escape_string?

Would it be better to keep using Magic_quotes or just turn it off?

kicken · March 15, 2012

So basically if Magic quotes is on, I do NOT need to run mysql_real_escape_string?

That was the idea behind it when the directive was created. It failed horribly at doing it's job and caused far more issues that it solved though, which is why it has been disabled by default for a while, and is finally being outright removed from PHP all together (as of 5.4).

You should always assume these settings when you code:

error_reporting=E_ALL

magic_quotes_gpc=Off

register_globals=Off

short_open_tag=Off

And code your scripts to work in that environment without errors. In the case of magic_quotes_gpc, if it is on then you have to un-do it's effect by running everything in $_POST, $_GET, $_REQUEST, and $_COOKIE through stripslashes(). You can do this using a recursive function fairly easily, google can probably find you an implementation if you don't know how to make one.

Pikachu2000 · March 15, 2012

No; magic_quotes_gpc was a poor idea, and has been removed from php as of version 5.4. If magic_quotes_gpc is on, you need to undo its escaping with stripslashes, and use mysql_real_escape_string instead.

EDIT: Somehow missed the reply above, even though it was an hour earlier than mine . . .

Sign In

BA - Beta Testing

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information