rcorlew Posted July 2, 2007 Share Posted July 2, 2007 I have created an online community, registration is required which will send an email which contains a link to activate the account. I have set up a test account for testers to use, please do not cuss in your posts since I have adWords set up and will get banned if they find them for the groups I use. I do welcome all other types of testing, I do have a swear filter that works but I really limited the words it blocks for now until I see otherwise. Here is the link: http://www.mycrdisorder.org/ user : testuser login : login1 I hope that if anything is found you will let me know, and test everything out, even upload a pic or two, but no porn please. Thanks in advance, Richard Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/ Share on other sites More sharing options...
kathas Posted July 2, 2007 Share Posted July 2, 2007 your ' my page' feature is vulnerable to CSS!!! the , bbCode. Further testing.... Your forum is also vulnerable to CSS... Be more careful with your bbCode... Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-287960 Share on other sites More sharing options...
rcorlew Posted July 3, 2007 Author Share Posted July 3, 2007 I do believe that I have tied that all down now... I hate trying to figure out what to allow, while allowing for maximum user flexibility. I think I will create a custom function to stop only CSS and allow anything else, here goes: <?php function read_users_mind() { foreach($_POST as $val) { $val = interpret_intentions($val) if($val == bad) { header("Location: http://www.getbanedfromsite.com"); } else { $val == $val; } return &val; } } $_POST = read_users_mind($_POST); ?> Haha, if only that would work right, til then, we just have to string replace everything. Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-288494 Share on other sites More sharing options...
agentsteal Posted July 10, 2007 Share Posted July 10, 2007 Admin Access: You can use the Directory Transversal to delete arbitrary files on the server. Cross Site Scripting: http://www.mycrdisorder.org/viewuser.php?user='onmouseover=alert('vulnerable') Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting if you submit a search that contains code. Cross Site Scripting: There is Cross Site Scripting if you upload an image that contains code in the filename. Cross Site Scripting: There is Cross Site Scripting on http://www.mycrdisorder.org/contact.php if you send a message that contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. Directory Transversal: http://www.mycrdisorder.org/user.php?dpic=main&pic=../../images/mycrdheader.jpg Directory Transversal: http://www.mycrdisorder.org/user.php?function=viewuser&dpic=delete&pic=../../index.php Multiple users can upload the same filename. Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-294153 Share on other sites More sharing options...
rcorlew Posted July 10, 2007 Author Share Posted July 10, 2007 I do believe that I caught all those, I wrote a nice function but forgot to add it to my variables. Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-294749 Share on other sites More sharing options...
rcorlew Posted July 11, 2007 Author Share Posted July 11, 2007 Try it again. I forgot about that page. Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-294864 Share on other sites More sharing options...
rcorlew Posted July 12, 2007 Author Share Posted July 12, 2007 Ok I will get that fixed shortly, I am on vacation so it might take a little while longer,lol Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-296252 Share on other sites More sharing options...
rcorlew Posted July 17, 2007 Author Share Posted July 17, 2007 I fixed the filename problems and made it so it will not overwrite an existing file. Crazy thing though, the code I wrote works on my production server but not my test server. If anyone would like to try it out, go ahead, I think that it is getting really close to finally being secured. Link to comment https://forums.phpfreaks.com/topic/58039-could-you-check-my-online-community-please-test-account-set-up/#findComment-300064 Share on other sites More sharing options...
Recommended Posts