Standard Forum

lemmin · August 28, 2007

http://meisnermusic.awardspace.com

I made a little forum and would like you see how it works. Feel free to try to break it, as long as you tell me how you did it. I didn't do very much user input checking so I wouldn't be surprised if someone can do something funny to it. Please post as many times as you want (can). I would like to make sure the backend is working properly.

Thank you.

P.S. I am really impressed by awardspace.com's free web hosting.

Gath · August 28, 2007

No spam control.

Sql injection possible.

http://meisnermusic.awardspace.com/index.php?s=%3Cmarquee%3E

(Have to run, i'm late, cant check more -.-)

lemmin · August 28, 2007

Haha, I love the entire div post scrolling across the screen. I guess I shouldn't allow html.

php_tom · August 28, 2007

There, I broke it by making a new topic called '<textarea>'. Maybe you should 'striptags()' before you accept a thread, etc. And I'd make people sign in to post anyway.

lemmin · August 28, 2007

Ok, I fixed the tags. I am planning to implement the login feature, but I figured it would be easier for people to test this with out it, for now.

EDIT: I also fixed the injection, now. (probably)

php_tom · August 28, 2007

Hehe... either somebody totally wrecked your site, or too many people are testing...

Too many connections

It looks much better, although I haven't finished testing it completely. I'll try again later.

php_tom · August 28, 2007

Here's a funny one (although not really a vulnerability):

Request-URI Too Large

The requested URL's length exceeds the capacity limit for this server.

Now I'm just playing... its not easy to get a 414 error!

akitchin · August 30, 2007

chokes on single quotes:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'this is \" some stuff that <marquee>might trip you up</

that portion started with a single quote.

agentsteal · August 30, 2007

Cross Site Scripting:

http://meisnermusic.awardspace.com/?a=n&s="><marquee><h1>vulnerable</marquee>

lemmin · August 30, 2007

Thanks for all the input, guys.

I am pretty sure that I found a blind sql injection vulnerability that allows users to query the database:

If there something after the digit, it just directs you to the home page and it isn't even querying from the URI that you put in. The weird times I would guess are because of the free server.

chokes on single quotes:

Wow, I swear I work around that, I must have changed something on accident.

Cross Site Scripting:

That is pretty cool, I will see what I can do about that.

phpSensei · August 31, 2007

maybe you should make the new topic message field to a text area....

lemmin · August 31, 2007

It seems that escaping apostraphes with a slash "\'" works on my end, but not when I upload to awardspace. I fixed the cross site scripting, though. Is this a mysql version thing?

maybe you should make the new topic message field to a text area....

It is! It's a "<input type=textarea>" which isn't a valid type, but it defaults to text. I'm not really working on cosmetics, yet. I will definately have a bigger box for the message field, as well as labels for the fields.

akitchin · August 31, 2007

a textarea is its own tag, not a type of input.

lemmin · August 31, 2007

Yeah, I was just joking about that.

I switched to mysql_real_escape_string() and it doesn't choke anymore; however, it prints a littler backslash before it, on output. I am assuming this is mysql settings so I am not too concerned that it does that on a free host. Am I right about that?

Can anyone else make this site do anything weird, after the changes?

php_tom · September 1, 2007

Not really a vulnerability, but I can reply to a non-existent post, e.g.,

http://meisnermusic.awardspace.com/index.php?s=2&t=1234567890&a=n

Nobody will see this, but it probably populates your DB with extra stuff.

So maybe check that a post/topic exists before letting someone reply...

Guardian-Mage · September 3, 2007

You really meant basic didn't you.Anyway, you should use bbcode, not HTML, and limit bbcode so javascript won't work.

lemmin · September 7, 2007

Somone claims to have overwritten a previous topic on the site. The only way I can think of this happening is by sending a custom POST variable to my site. I assume that is possible, is that likely how it was done? The code uses only POST variables when creating a topic.

If this IS what has happened, what is the best way to prevent against such a thing? If not, any ideas on how this was possible?

Sign In

Standard Forum

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information