made from scratch forum

[InoBB]

Just got back into PHP after a few years away from it.

Been working on this forum script to kind of re-hone my skills:

 

Verification: http://www.inobb.net/phpfreaks.txt

demo: http://forum.inobb.net

 

login: test@test.com

pswd: testing01

 

Just want to see if I have any security issues, and anything else if you guys wanna just play around with it a bit.

[doddsey_65]

I logged in and the message said your reply has been posted.

 

XSS problems here http://forum.inobb.net/viewforum.php?forum=4

 

Should use strip_tags() here http://forum.inobb.net/viewthread.php?topic=17&page=1

 

Got this when saving a signature

Warning: include(includes/lang/lang.Choose a Language.php) [function.include]: failed to open stream: No such file or directory in /home/content/44/10959644/html/forums/header.php on line 8

Warning: include() [function.include]: Failed opening 'includes/lang/lang.Choose a Language.php' for inclusion (include_path='.:/usr/local/php5_3/lib/php') in /home/content/44/10959644/html/forums/header.php on line 8

[InoBB]

Alright, issues taken care of. No more XSS vulnerabilities as far as I can tell.

The include error was just a bad cookie set. :/ solved as well.

[MDCode]

XSS vulnerability in viewthread.php.  I put in "><iframe> and it broke the rest of the page.

[InoBB]

Man, seems XSS attacks are more of a problem than sql injection now days. I think I've got the issue fixed with iframe breakage. 

[MDCode]

Another XSS vulnerability in your bbcode.  A user can enter XSS via "javascript:" and it will be inserted into the href.

There are also XSS vulnerabilities via bbcode in the signature as well.

 

Example:

url=javascript:alert(String.fromCharCode(88,83,83))]Click Me[/url]

 

 

Also, I sent a message to Lemon.  You should see if there are any XSS vulnerabilities via that as well.

 

Edit: Basically anywhere that you are converting BBCode is vulnerable.

 

http://forum.inobb.net/viewthread.php?topic=3&track is giving header errors.

Edited May 8, 2013 by SocialCloud

[InoBB]

K, made it where bbcode links send http request. Seems to have stopped javascript from being able to run and throws a website unavailable page.

Also used some regex to replace some items to Not Allowed, will keep looking into finding a more suitable way of dealing with this one.

[MDCode]

A few bugs:

 

XSS vulnerability in the title when creating a new topic.  As seen in the introductions section.

 

The options only work on the test forum?

 

Your track topic option doesn't alert the user that it was successful, or that you did anything upon click.

 

The profile settings do not update upon the next page load.  It will confuse some users into updating twice.

 

I have no idea what you're doing with your search, but some posts I search for just come up as "..."

 

You're allowing the user to track the same topic multiple times.

 

Weird post numbering?  Each page has almost the same number for each post.

 

If the topic does not exist, ie ?topic=9 you are showing a notice.

 

A user can supposedly reply to a topic that does not exist by changing ?topic= in the URL.

 

A user can supposedly create a new topic in a forum that does not exist by changing ?topic= in the URL.

[InoBB]

That's more like it, gives me a few things to work on. These are things(though I know of some of the bugs such as changing the url to post and reply), that I tend to overlook while coding this. Helps to have the extra set of eyes, thanks for this list SocialCloud. I'll work on it for a couple days and when it's nice and clean I'll drop another post.

 

And what options do you speak of only working in the test forum?

 

And the search, yea I'm actually working on a more external script for that one. I don't like the way it functions.

 

Edited May 10, 2013 by InoBB

[InoBB]

Okay, so everything was much easier than I figured it was going to be.

 

    1) XSS null from topic title

    2) Need to clarify with you what options don't work except in test forum.

    3) Track topic now has a redirect with notification (Looking at going into Jquery with ajax for this).

    4) Profile settings still won't update, unless I refresh the page completely. I guess since in a form(Also looking into Jquery with Ajax to fix).

    5) Search is getting a complete restructure. Will come back on that at a later date.

    6) Users can no longer track same topic multiple times.

    7) Post Numbering is correct now(Looking into setting the OP separated from replies, for the numbers sake, they need love...).

   8 ) Had debug error reporting on, forgot to remove it the other night. No more notices.

    9) Users can "supposedly" reply to non-existant topics, or put topics in non-existant forums BUT their posts go exactly where they are supposed to either way. Will look deeper into this issue.

 

Your awesome.

Edited May 10, 2013 by InoBB

[MDCode]

    2) Need to clarify with you what options don't work except in test forum.

    4) Profile settings still won't update, unless I refresh the page completely. I guess since in a form(Also looking into Jquery with Ajax to fix).

 

Ok, for #2, I meant the latest reply box thing.  It only works if there has been a reply in a thread, but not when a topic is created.

 

For 4, you can do something like:

<input type='email2' name='email2' id='email2' size='30' value='<?php echo(isset($_POST["email2"]) ? htmlentities($_POST["email2"]) : htmlentities($original)); ?>' class='text-input' />

Refer to the sentence below.

 

Also, during figuring out settings, there's another XSS vulnerability in it.  A user can end the value='' by inserting a single quote.  Example on the test account settings.

 

Edit: All the img src are vulnerable to XSS in the src='' by the same method.  Put your mouse over the image.  Also looks like your new pagination doesn't work.

Edited May 11, 2013 by SocialCloud

[MDCode]

Also, could you send the test account a private message?  For testing purposes.

[InoBB]

Lol you were probably messing with it while I was in the middle of making changes The pagination works beautifully now. I went ahead with the JQuery AJAX form method, has better indication of something happening once a form is submitted. Removed the ability to use onmouseover, onmouseout, and other similar tags.

[MDCode]

Looks like I was.  The XSS still exists in the avatar URL.  I broke the login when testing the email field so I'll leave that up to you.

 

When editing settings with JavaScript disabled, it leaves the user on a blank page.

 

It seems your BBCode is no longer automatically entering itself into the textarea upon click.  As in: If a user clicks link, it doesn't insert.

 

A user can break the page by adding more than 1 page in the URL.  Example: http://forum.inobb.net/profile.php?user=6&settings&view  Not that much of a bug but still

 

 

Very big bug (severity wise):

 

A user can edit any post by changing ?edit= in the URL.  Refer to introduction thread.

Edited May 12, 2013 by SocialCloud

[InoBB]

Not sure what you did to "break" the login. Maybe you can clarify what strings were input to bypass the "email" field type.

I've tried posting everything I could possibly come up with across several different browsers and if I don't at least put a "c@c" style input, all I keep getting is "Invalid E-mail." error.

Only issue I've found, is if I construct different forms off-site, and change the input field types, then there were issues. Working on a better server-side validation for this.

 

No more blank page with javascript disabled. And fixed the BBCode, tried to move the script into an external file, did not work apparently.

And fixing the above issue fixed the updating of information issue in one swoop as well. Love accidental progress.

 

Adding more than 1 page in the url does not concern me as it will only break the page for the user making the action. Maybe at a later date when I've tackled the more concerning problems.

 

And yes, that was a nasty bug, fixed as well. Can no longer edit different posts by changing url.

When clicking on the (last post) options, the page of the post in the URL is always 11.

If a topic only has one post (just created), the pagination displays Page 0 of 0.

Your registration is broken.

The site needs better CSS for FireFox. As far as I looked, the reply/edit/etc. page and profile settings page are messed up.

You need to implement nl2br() for line breaks.

 From over there, all issues solved as well. Not sure about how registration is broken, I registered several test accounts without issues.

 

Maybe you could supply a screenshot of what your talking about in the FF CSS. What version of FF are you using? I've personally tested in Moz4.0.1 and Moz5.0

Edited May 12, 2013 by InoBB

[MDCode]

The login was broken when I tested XSS on the email field.  It changed it to 'onmouseover or something.  When I logged out I couldn't figure out what I had entered so it would keep saying invalid credentials.

 

Your registration layout was broken earlier.  It seems you've fixed it now.

[Coreye]

Full Path Disclosure (https://www.owasp.org/index.php/Full_Path_Disclosure):
http://forum.inobb.net/viewforum.php?forum[]

Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given in /home/content/44/10959644/html/forums/viewforum.php on line 32

 

Error when editing a thread:

Warning: mysqli_stmt::bind_result() [mysqli-stmt.bind-result]: Number of bind variables doesn't match number of fields in prepared statement in /home/content/44/10959644/html/forums/postreply.php on line 158

 

BBCode breaks when you copy and paste.

 

BBCode does not work.

 

You can post blank posts by using HTML tags.

 

Settings page over lapping:

 

You can post blank topics by pressing by using the space bar.

Edited May 15, 2013 by Coreye

[InoBB]

Yea all stuff that I caused today with a major overhaul of the posting system.

Most of it should be cleared away aside from anything inside the profile area.

Changing the posting from reg text area to text editor caused a massive overhaul of code.

Edited May 15, 2013 by InoBB

[Irate]

Psst, try checking if you covered yourself against these vulnerabilities

[darkfreaks]

you also have MYSQL injection in viewthread.php

suggest using PHP PDO to Squash this