Jump to content

FreeBASIC Programs Directory

kristopherWindsor
 Share

Recommended Posts

kristopherWindsor Newbie

kristopherWindsor

Posted
Posted

This site lets you register, add programs, and search through the added programs. For each program, you can upload an image and file (download).

 

Please test for errors, especially validation errors.

 

Feel free to add worthless content because I can easily reset the site, and no one is using it yet.

 

http://fbc.ourproject.org/

 

Link to comment
https://forums.phpfreaks.com/topic/62432-freebasic-programs-directory/
Share on other sites
agentsteal Newbie

agentsteal

Posted
Posted

Cross Site Scripting:

There is Cross Site Scripting in the iframe on the index page.

 

Cross Site Scripting:

There is Cross Site Scripting in the screenshots.

 

Cross Site Scripting:

There is Cross Site Scripting on http://fbc.ourproject.org/edituser.php if the fields contain ">code.

 

Insecure Cookie:

You shouldn't put the password in the cookie.

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

User Enumeration:

http://fbc.ourproject.org/~root

 

You can upload multiple screenshots by changing the extension.

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted

-> On the bottom of the main page there's a frame that asks you to register. If you register with code in your name, the code runs on the page.

 

Thanks for finding that. I think I'll link to a different forum (a thread from freebasic.net), and upgrade that forum later. That forum is a separate project; I think it was my first in PHP, too. :)

 

 

No, I left those open on purpose. It is an alternative method of browsing through the programs. :P Or is there a problem with leaving these folders open?

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted

Thanks for finding the edituser.php bug. editprogram.php probably has the same problem, but it should be easy to fix. :)

 

-> You should never put the username and password in the cookie.

 

Why not? What is a better way to do this? I don't want to use MySQL sessions because they are confusing and can't keep users logged-in forever.

 

-> In Internet Explorer the screenshots can have XSS.

 

How can I fix this? I check both the file extension and and file type before allowing the file. Should I post my code?

 

-> If you upload a screenshot and then upload a screenshot with a different extension, it keeps the old screenshot.

 

I know, but I think it is good that way. I.e. Suppose someone uploads a JPG, then replaces it with a PNG. If another person on another site had linked to the JPG image, then the link would be broken if I delete the JPG. I think I will keep that bug / feature. :)

 

Thanks. :D

 

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted

I haven't used sessions before. Before I attempt to- how long can a session last? Won't the user have to long in every day if I use sessions?

 

-> You could check the screenshots for tags before uploading them.

 

How? Could you please point me to a tutorial? Thanks.  ;)

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted

-> There is Cross Site Scripting in edituser.php. If you put ">code in the input boxes the code runs on the page.

 

This should be fixed now.

 

-> You should never put the username and password in the cookie.

 

I found an easy solution: keep an encrypted / hashed version of the password in the cookie. I made the encryption process myself, so it should be hard to solve. That should be secure enough.

 

I think the only problem is validating the screenshots, which I still don't know how to do completely. ;)

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.