Ultimate Battle Online: Testers needed for v2.0

[deth4uall]

I am working on the v2.0 rewrite of my game and I even created a whole microframework for it so that I can quickly get it done. Right now however I am needing more testers because I am looking to get some good reliable feedback since the present players on the main server are too few to give me a wide range of feedback on it. The framework I created is at http://github.com/deth4uall/Obsidian-Moon-Engine/ if you want to check it out, released under BSD license.

 

The link to the application in question is: http://testing.ultimate-battle-online.com/ and below is my phpfreaks.txt

 

http://testing.ultimate-battle-online.com/phpfreaks.txt

[creata.physics]

do you have a demo account set up with a demo pin?

Registration page says:

Before you can continue registering you will need to choose how you will continue registering an account.

 

With no options to follow. Can't really test anything without access to the script.

 

Okay, noticed that register link on the index page takes me here:

http://testing.ultimate-battle-online.com/main/start/

 

Should take me here:

http://testing.ultimate-battle-online.com/main/register/

 

Registration failure, after form was process I recieved this error:

Fatal error: Call to undefined function remove_invisible_characters() in /home/uboeleme/Obsidian-Moon-Engine/classes/core_security.php on line 112

[deth4uall]

Right, thanks! I PMed you with some details until I get that fixed.

[deth4uall]

I have edited it so that it should be working right.

[darkfreaks]

viewthread.php is vulnerable to XSS

 

recommend strip_tags to sanitize the variables on that page.

 

 

 

[darkfreaks]

please disregard last post it was a mix up with someone else?s thread.

 

XSS:

register.php login_name

 

recommend strip_tags or filter_var

 

[ZulfadlyAshBurn]

The pin is forever 431 and the lock after 3 tries does not work.

[darkfreaks]

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /main/register/.

Discovered by: Scripting (XSS.script).

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

Attack details

URL encoded POST input display_name was set to " onmouseover=prompt(902527) bad="

The input is reflected inside a tag element between double quotes.

 

URL encoded POST input email1 was set to " onmouseover=prompt(924240) bad="

The input is reflected inside a tag element between double quotes.

 

URL encoded POST input email2 was set to " onmouseover=prompt(952274) bad="

The input is reflected inside a tag element between double quotes.

 

URL encoded POST input login_name was set to " onmouseover=prompt(944670) bad="

The input is reflected inside a tag element between double quotes.

How to fix this vulnerability

Your script should filter metacharacters from user input. (IE strip_tags or filter_var )

 

[deth4uall]

Thanks, I have changed that so that it will filter out the tags.

[darkfreaks]

seems alot better but the login_name field is still vunerable to javascript input.

 

i'll test more tommorow

[Christian F.]

The tip given from that scanner used by darkfreaks is not a good one. You should escape the output using htmlspecialchars (), not using a blacklist to filter out some of the known Bad Stuff ; You'll never know all of the Bad Stuff, after all. So better to make sure that whatever it is, it's considered as pure text as far as the browser is concerned.

[darkfreaks]

that was from me. not my scanner. also you could do a better job of explaining why they are "bad"

 

 

The PHP function striptagsis the classic solution for attempting to clean up HTML. It is also the worst solution, and should be avoided like the plague. The fact that it doesn't validate attributes at all means that anyone can insert an onmouseover='xss();' and exploit your application.

 

While this can be bandaided with a series of regular expressions that strip out on[event] (you're still vulnerable to XSS and at the mercy of quirky browser behavior), striptags is fundamentally flawed and should not be used.

 

 

anyhow Christian is right you do need to Escape  any XSS on output of the variable.

 

//safely outputs XSS
$login_name= htmlspecialchars($_POST['login_name'],ENT_QUOTES,'utf-8');

 

 

also using htmlspecialchars by itself will not remove all types of attacks (javascript) because of the difference in quotes.

 

if you want to securely remove XSS i would reccomend using htmlpurifier instead of built in php functions.

[Christian F.]

A bit of why it's considered "bad", is explained in the PHP manual itself. More specifically, in the warnings. There's also a thread @ StackOverflow that lists a couple more reasons, and then we have this article on why strip_tags is not enough.

Hopefully that's enough of an explanation?

[deth4uall]

Oh okay, thanks that is good to know. I appreciate all the help I will get this included and uploaded as soon as I can

[darkfreaks]

you are down to one warning (GOOD)

 

 

all you are allowing now is  simple javascript attacks.

 

you can do more validation with the login name

 

//checking if login name contains letters or numbers only
$variable = ctype_alnum($_POST['login_name') ? $_POST['login_name'] : 'Please post a username with Letters or numbers only!';

[darkfreaks]

http://lmgtfy.com/?q=htmlpurifier+validation+php

 

 

OP: might have thought using JS and ASP was going to get rid of inection but it still persists on your register page. please look into the above link.