Social Networking software

[phpl33t]

I am looking for any feedback that you guys can give that will help our software evolve. Design issues, I don't really care about, I am not a designer. But if you have suggestions I would greatly appreciate hearing them!

 

http://espsoftwaresolutions.com/core

 

Thank you guys!

[phpl33t]

Thanks for those trying to hack, great information! *NOObISHLY I forgot to plugin my data validation function. not bright, huh?*

[source]

http://espsoftwaresolutions.com/core/blogger.php?uname='%20or%20'1'='1

 

errorz

 

 

http://espsoftwaresolutions.com/core/blogger.php?action=delete&blog_id=%22%3E%3Cscript%3Ealert(%22source%20r%201337%22);%3C/script%3E

 

http://espsoftwaresolutions.com/core/blogger.php?blogid="><marquee>ownd

 

http://espsoftwaresolutions.com/core/blogger.php?action=comment&blog_id=4&commentto=%22%3E%3Cmarquee%3Eownd

 

http://espsoftwaresolutions.com/core/messenger.php?action=reply&message_id=28

Not a exploit but at the buttom there is the delete and reply options, but are php variables but the value of themis not shown.

[source]

http://espsoftwaresolutions.com/core/1-forum.html

 

I can modify (edit) anyones post.

[source]

http://espsoftwaresolutions.com/admin/admin.php?page=1

 

and this I was prompted with a login (which had the username and pass there IDK if it was supposed to)

it's vulnerable to all sorts of nasty stuff.

 

 

http://espsoftwaresolutions.com/admin/moreinfo.php?id=-1

Full path disclosure.

 

http://espsoftwaresolutions.com/tsupport/

[phpl33t]

Thanks guys!

[phpl33t]

The new tsupport area I have not gotten online yet, my bad.

[phpl33t]

So your attacks simply brought up errors right? I killed error reporting, I only had it on for debugging. BTW, the IDs like blog_id are converted with (int) before injection.

[phpl33t]

Thanks again, I took care of the issues and hope that this will bring in some revenue. I worked hard on it, hope it pays off. Thanks again!

[phpl33t]

I forgot, teh admin link that had the user/passw with it was for another demo. I have 3 suites on that domain. I don't mind if people try the admin demo on that, I disabled banning and such.

[MemphiS]

You need to run over your entire site and fix the security holes: XSS, SQL Injection

[phpl33t]

How you figure?

 

I use funcitons like this to validate ALL data:

 

function vdata($value) {

$value = htmlspecialchars(mysql_real_escape_string(trim(strip_tags($value))));

return $value;

}

 

I verify that all numerics remain numerics, ect. I you found that the software is vulnerable to sql injections, then show me where, because I am not seeing it.

[phpl33t]

Oh, and logging into an admin demo, is not hacking peeps. Typing "hackable" into a form is not hacking. Of course you have admin rights in a live admin demo, which I did not ask you to test to begin with. duh. Last time I come here to ask for help, you do silly things and call it hacking, when it is actually doing what it is meant to do.

[source]

php man I didn't call it hacking. I told you what I found.