phat_hip_prog Posted September 10, 2007 Share Posted September 10, 2007 Hi, I've been working on this little project on and off for a while now and time has come where I could do with a pier review. Having no formal education in programming this is a first for me, but... There's an online version here http://www.rawstar7.co.uk and is available for download here http://www.rawstar7.co.uk/projects/v0_13.html. There's lot's to do and you should take the documentation with a pinch of salt (only revision is true to..). My main concern is the login system as i'm about to move onto a https system. I haven't used $_SERVER variables but use mysql entries. Be aware it's still quite bloated and makes too many sql calls, all admin code will be sectioned off soon, and the dynamic js tree menu has been revised but needs a full rework which will be tackled soon... Anyway, enough for now... Thanks for any help... Link to comment Share on other sites More sharing options...
agentsteal Posted September 10, 2007 Share Posted September 10, 2007 Full Path Disclosure: There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value. http://www.rawstar7.co.uk/site/comp/linux/security/tut_ssh.html Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/rawstar7/public_html/monkey/users.php on line 56 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/rawstar7/public_html/monkey/users.php:56) in /home/rawstar7/public_html/monkey/users.php on line 56 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/rawstar7/public_html/monkey/users.php:56) in /home/rawstar7/public_html/monkey/users.php on line 56 Includes Directory: http://www.rawstar7.co.uk/monkey/mods/ Includes Directory: http://www.rawstar7.co.uk/monkey/res/ User Enumeration: http://www.rawstar7.co.uk/~rawstar7/ Link to comment Share on other sites More sharing options...
phat_hip_prog Posted September 15, 2007 Author Share Posted September 15, 2007 Considering the number of additional hits i've had since posting here I sort of expected more responses, even if it's just a bsic pass. Many thanks to agentsteal for the time and feedback, all except the user enumeration are now sorted (I believe!). The new version of cmsmonkey also disallows proxy logins, catches certain other anomalies (still testing) and has new search capabilities in the admin logging section. However the log view for frequency checking may not be reporting as it should (this is different to actual frequency checking and blocking, which does work fine). There are also new admin page controls for controlling frequency checking. In addition js menus have been updated to conform to W3C standards. Non admin areas all now conform to W3C html loose standard and W3C CSS 3. Logo's have not been applied since this area is still being improved and certain admin zones need work. Anyway, for those who did have a monkey around with it thanks and hope you all have fun... New link... http://www.rawstar7.co.uk/projects/cmsmonkey.html GOING BANANAS! Link to comment Share on other sites More sharing options...
phat_hip_prog Posted September 15, 2007 Author Share Posted September 15, 2007 Oh yes, all admin code is now sectioned off for a more streamlined serve. Link to comment Share on other sites More sharing options...
phat_hip_prog Posted September 15, 2007 Author Share Posted September 15, 2007 dl works now! Link to comment Share on other sites More sharing options...
Recommended Posts