my forum

[evillair]

First off, I just started coding a few weeks ago (I'm an artist by trade), I have learned a lot but got a long way to go.

I tried to do as much as I could reading tutorials, articles, code snippets and Google.

 

It all started with a forum tutorial and went on from there.

 

Now it's time to test it on some real people before I go on.

 

As I am a newbie I'm sure I have made lots of mistakes. If you find problems it would be really helpful if you could help me a bit in hinting at a solution, if possible.

 

There's a few small errors I know of, ghost messages on the portal page etc. Those are easily fixed.

The css chooser is also a test, it just switches backgrounds for now.

 

Here's the URL: http://www.evillair.net/sourcebb/

 

Thanks in advance. Be gentle

 

 

[BillyBoB]

After reading a Post the New text doesnt go away

 

More: i quoted you http://www.evillair.net/sourcebb/messages.php?forum=1&id=4 and it brought me to http://www.evillair.net/sourcebb/messages.php#0

i began to type my message and entered it in

 

it took me http://www.evillair.net/sourcebb/messages.php?forum=&id= after i was done some how i replyed with a blank topic

 

There is also no way to end the quote code.... if a member does not have rights to edit a message i get the error

Fatal error: Call to undefined function: errorrights() in /home/.pudge/evillair/evillair.net/sourcebb/edit_message.php on line 83

thats VVVV

http://www.evillair.net/sourcebb/edit_message.php?id=6

 

Last for now but not least i can create a member name Guest lol

[agentsteal]

Admin Access:

Anyone can access the admin panel after viewing the admin profile.

 

Array:

http://www.evillair.net/sourcebb/edit_message.php?id[]

 

Cross Site Scripting:

http://www.evillair.net/sourcebb/edit_message.php?id="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if you edit a post that contains code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin panel if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on the 404 page.

http://www.evillair.net/sourcebb/<marquee><h1>vulnerable</marquee>

 

Full Path Disclosure:

http://www.evillair.net/sourcebb/edit_message.php

Fatal error: Call to undefined function: errorrights() in /home/.pudge/evillair/evillair.net/sourcebb/edit_message.php on line 83

[BillyBoB]

agentsteal im reporting you for quad posting you 8x posted in the last thread i saw you in sorry

[BillyBoB]

I can also edit anyone's profile from the userlist then click username i deleted your real name just to show you

[BillyBoB]

Posted by: agentsteal

 

If you go to the Userlist, click on admin, and then go back there's a link to the Admin CP and to edit profiles.

 

Actually it's worse than that, the Admin CP is blocked but you can actually edit the admin profile. And if you change the password you can get full access to the Admin CP.

actually its worst than that as long as you are logged in and edit the admins profile then click admin cp it will let you in

[BillyBoB]

agentsteal im reporting you for quad posting you 8x posted in the last thread i saw you in sorry

 

wtf? Okay first of all every one of my posts has been a real bug. This is just how I work. When I find a bug I report it. And I'm pretty sure I've found every serious vulnerability in the beta test section of phpfreaks.com.

 

I guess if you want you can report me and I'll see what the mods think of my posting.  :-\

 

The mods will not think very well of your behavior its double posting it doesnt matter if its all legit info you can just edit the first post...... its not like you need these to go in order

 

when you post like that you are just trying to get the maximum post

[BillyBoB]

all of your post are within a minute of each other so you cant say you couldnt edit them you didnt try and since when is this post going to close???

[evillair]

Thanks for the input!

 

@ evillair

 

definitely fix the admin access and the Cross Site Scripting. I tested for Cross Site Scripting with <marquee> and pretty much every page on the site has a marquee running on it now... but what if I had used a script that redirected to another site? Every page would redirect and the whole site would be unusable.

 

I'm trying too but I can't get it to work.  :-\

 

 

[MemphiS]

Your Login, register are vunerable to SQL injection... Havent read if this has alreayd been posted by incase not...

[evillair]

When you register it should filter tags. I put code in the boxes and when I logged in the code runs on multiple pages.

 

Hmm, I am using this when you register:

 

    // Get data that sent from form
    $username = filterBadWords(str_replace($invalidchars, "", $_POST['username']));
    $password = md5($_POST['password']);
    $email = str_replace($invalidchars, "", $_POST['email']);
    $realname = filterBadWords(str_replace($invalidchars, "", $_POST['realname']));
    $location = filterBadWords(str_replace($invalidchars, "", $_POST['location']));

 

wow, I'm not very good at this

 

[BillyBoB]

i had this very problem

so im going to help you:

 

Function: (add this to the begining of your page in a <?php ?> tag)

<?php
function deletexss($text) {
$text=stripslashes($text);
$text=strip_tags($text);
$text=mysql_real_escape_string($text);
$text=htmlspecialchars($text);
return $text;
}
?>

 

to use it:

<?php
    // Get data that sent from form
    $username = deletexss(filterBadWords(str_replace($invalidchars, "", $_POST['username'])));
    $password = md5($_POST['password']);
    $email = deletexss(str_replace($invalidchars, "", $_POST['email']));
    $realname = deletexss(filterBadWords(str_replace($invalidchars, "", $_POST['realname'])));
    $location = deletexss(filterBadWords(str_replace($invalidchars, "", $_POST['location'])));
?>

 

i dont know how your functions work so i just included them with it

[evillair]

Great thanks!

 

I added it to my functions which I include in pages and added it to the $_POST checks.

Seems to work, I tried to register <marquee> and it didn't work.

[BillyBoB]

@evillair

do you have aim if so mine is BillyBoB66969 i just fixed all my xss errors on my site

 

Becuase the errors on your site are dangerous

and yes you did fix the Registeration xss

[evillair]

BillyBoB: I just got AIM, I added it to my profile on the left.