kristopherWindsor Posted July 30, 2007 Share Posted July 30, 2007 This site lets you register, add programs, and search through the added programs. For each program, you can upload an image and file (download). Please test for errors, especially validation errors. Feel free to add worthless content because I can easily reset the site, and no one is using it yet. http://fbc.ourproject.org/ Link to comment Share on other sites More sharing options...
lmth Posted July 30, 2007 Share Posted July 30, 2007 Fatal error: Call to undefined function: strreplace() in /var/lib/gforge/chroot/home/groups/fbc/htdocs/createuser.php on line 29 Link to comment Share on other sites More sharing options...
kristopherWindsor Posted July 31, 2007 Author Share Posted July 31, 2007 Sorry about that; I made one minor change and forgot to test it. I fixed it now. Link to comment Share on other sites More sharing options...
agentsteal Posted July 31, 2007 Share Posted July 31, 2007 Cross Site Scripting: There is Cross Site Scripting in the iframe on the index page. Cross Site Scripting: There is Cross Site Scripting in the screenshots. Cross Site Scripting: There is Cross Site Scripting on http://fbc.ourproject.org/edituser.php if the fields contain ">code. Insecure Cookie: You shouldn't put the password in the cookie. Insecure Cookie: You shouldn't put the username in the cookie. User Enumeration: http://fbc.ourproject.org/~root You can upload multiple screenshots by changing the extension. Link to comment Share on other sites More sharing options...
kristopherWindsor Posted July 31, 2007 Author Share Posted July 31, 2007 The location of the frame on the index page is vulnerable to Cross Site Scripting. Can you please explain? How could I fix that? Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 1, 2007 Author Share Posted August 1, 2007 -> On the bottom of the main page there's a frame that asks you to register. If you register with code in your name, the code runs on the page. Thanks for finding that. I think I'll link to a different forum (a thread from freebasic.net), and upgrade that forum later. That forum is a separate project; I think it was my first in PHP, too. You should probably block http://fbc.ourproject.org/downloads/ and http://fbc.ourproject.org/screenshots/ No, I left those open on purpose. It is an alternative method of browsing through the programs. Or is there a problem with leaving these folders open? Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 4, 2007 Author Share Posted August 4, 2007 Thanks for finding the edituser.php bug. editprogram.php probably has the same problem, but it should be easy to fix. -> You should never put the username and password in the cookie. Why not? What is a better way to do this? I don't want to use MySQL sessions because they are confusing and can't keep users logged-in forever. -> In Internet Explorer the screenshots can have XSS. How can I fix this? I check both the file extension and and file type before allowing the file. Should I post my code? -> If you upload a screenshot and then upload a screenshot with a different extension, it keeps the old screenshot. I know, but I think it is good that way. I.e. Suppose someone uploads a JPG, then replaces it with a PNG. If another person on another site had linked to the JPG image, then the link would be broken if I delete the JPG. I think I will keep that bug / feature. Thanks. Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 5, 2007 Author Share Posted August 5, 2007 I haven't used sessions before. Before I attempt to- how long can a session last? Won't the user have to long in every day if I use sessions? -> You could check the screenshots for tags before uploading them. How? Could you please point me to a tutorial? Thanks. Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 8, 2007 Author Share Posted August 8, 2007 -> There is Cross Site Scripting in edituser.php. If you put ">code in the input boxes the code runs on the page. This should be fixed now. -> You should never put the username and password in the cookie. I found an easy solution: keep an encrypted / hashed version of the password in the cookie. I made the encryption process myself, so it should be hard to solve. That should be secure enough. I think the only problem is validating the screenshots, which I still don't know how to do completely. Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 16, 2007 Author Share Posted August 16, 2007 I won't be checking image tags since I still don't know how, and it is only a problem with IE. I'll reset the site soon, so if noone finds any problems in the next day or two, then the beta testing is complete. Link to comment Share on other sites More sharing options...
source Posted August 16, 2007 Share Posted August 16, 2007 I have found a cross site scripting vuln. When registering make your password <marquee>ownd and then register and on the next page where you echo the password it will echo. In short there should be no need for echoing the password. Ever. Link to comment Share on other sites More sharing options...
kristopherWindsor Posted August 16, 2007 Author Share Posted August 16, 2007 Okay, I won't show the password. Link to comment Share on other sites More sharing options...
source Posted August 17, 2007 Share Posted August 17, 2007 agentsteal. IMO dropping your postcount to TEN is bullshit. I mean, you've contributed soo much to these forums. Link to comment Share on other sites More sharing options...
Recommended Posts