phpl33t Posted July 18, 2007 Share Posted July 18, 2007 I am looking for any feedback that you guys can give that will help our software evolve. Design issues, I don't really care about, I am not a designer. But if you have suggestions I would greatly appreciate hearing them! http://espsoftwaresolutions.com/core Thank you guys! Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/ Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 Thanks for those trying to hack, great information! *NOObISHLY I forgot to plugin my data validation function. not bright, huh?* Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-301984 Share on other sites More sharing options...
source Posted July 19, 2007 Share Posted July 19, 2007 http://espsoftwaresolutions.com/core/blogger.php?uname='%20or%20'1'='1 errorz http://espsoftwaresolutions.com/core/blogger.php?action=delete&blog_id=%22%3E%3Cscript%3Ealert(%22source%20r%201337%22);%3C/script%3E http://espsoftwaresolutions.com/core/blogger.php?blogid="><marquee>ownd http://espsoftwaresolutions.com/core/blogger.php?action=comment&blog_id=4&commentto=%22%3E%3Cmarquee%3Eownd http://espsoftwaresolutions.com/core/messenger.php?action=reply&message_id=28 Not a exploit but at the buttom there is the delete and reply options, but are php variables but the value of themis not shown. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302046 Share on other sites More sharing options...
source Posted July 19, 2007 Share Posted July 19, 2007 http://espsoftwaresolutions.com/core/1-forum.html I can modify (edit) anyones post. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302053 Share on other sites More sharing options...
source Posted July 19, 2007 Share Posted July 19, 2007 http://espsoftwaresolutions.com/admin/admin.php?page=1 and this I was prompted with a login (which had the username and pass there IDK if it was supposed to) it's vulnerable to all sorts of nasty stuff. http://espsoftwaresolutions.com/admin/moreinfo.php?id=-1 Full path disclosure. http://espsoftwaresolutions.com/tsupport/ Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302058 Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 Thanks guys! Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302524 Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 The new tsupport area I have not gotten online yet, my bad. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302530 Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 So your attacks simply brought up errors right? I killed error reporting, I only had it on for debugging. BTW, the IDs like blog_id are converted with (int) before injection. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302539 Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 Thanks again, I took care of the issues and hope that this will bring in some revenue. I worked hard on it, hope it pays off. Thanks again! Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302591 Share on other sites More sharing options...
phpl33t Posted July 19, 2007 Author Share Posted July 19, 2007 I forgot, teh admin link that had the user/passw with it was for another demo. I have 3 suites on that domain. I don't mind if people try the admin demo on that, I disabled banning and such. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-302872 Share on other sites More sharing options...
MemphiS Posted July 22, 2007 Share Posted July 22, 2007 You need to run over your entire site and fix the security holes: XSS, SQL Injection Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-304598 Share on other sites More sharing options...
phpl33t Posted July 23, 2007 Author Share Posted July 23, 2007 How you figure? I use funcitons like this to validate ALL data: function vdata($value) { $value = htmlspecialchars(mysql_real_escape_string(trim(strip_tags($value)))); return $value; } I verify that all numerics remain numerics, ect. I you found that the software is vulnerable to sql injections, then show me where, because I am not seeing it. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-305670 Share on other sites More sharing options...
phpl33t Posted July 23, 2007 Author Share Posted July 23, 2007 Oh, and logging into an admin demo, is not hacking peeps. Typing "hackable" into a form is not hacking. Of course you have admin rights in a live admin demo, which I did not ask you to test to begin with. duh. Last time I come here to ask for help, you do silly things and call it hacking, when it is actually doing what it is meant to do. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-305702 Share on other sites More sharing options...
source Posted July 23, 2007 Share Posted July 23, 2007 php man I didn't call it hacking. I told you what I found. Link to comment https://forums.phpfreaks.com/topic/60653-social-networking-software/#findComment-305707 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.