Please check my security

[Azu]

Hello,

I'm making a site for World of Warcraft.

 

It's not even close to being finished yet, but could somebody please tell me if there are any security problems or bugs in it? I want to fix any before I focus on adding more functionality.

And also if part of it is ugly/bad please tell me what's wrong so I can try to improve it.

 

http://freethepenguins.com/

[watthehell]

Suggestions

Could you make this site little broad.

It takes time to find the thing looking for..

And I can see my password... LOL... even my friend saw it..

 

Can you keep small Icons near the links...

 

Only suggestions, didn't have time to check,,, will see it later...

 

And from where do we register ???

 

 

[Azu]

Hi, thanks for the feedback.

 

About the password; you can only see it as you are typing it in to make a new account or login. I put it like this because people kept complaining about accidentally putting in the wrong password, even WITH the pass confirmation thing..

 

And you register right there on the main page, just fill out all the fields. If you already have an account and want to login just fill out name/password.

 

I'll think about putting some icons on the the links.. thanks for the suggestion!

[agentsteal]

Array:

http://www.freethepenguins.com/a[]

 

Array:

http://www.freethepenguins.com/t=1&c[]

 

Drop Down Menu:

If you edit the drop down menus on http://www.freethepenguins.com/fsearch=a you can submit arbitrary values.

 

Full Path Disclosure:

Parse error: syntax error, unexpected ')' in E:\htdocs\index.html on line 2172

[Azu]

Thanks for the bug reports ^^

 

I'm not sure why links with [] in them are putting "Array" in the search box.. any ideas?

 

And can you please tell me how to reproduce the full path disclosure?

 

Also what is the problem with the drop down menus there? I think I have all of the input on it escaped.. if not please give example..

 

 

 

Edit: I think I got the path disclosure fixed. I changed it so in the php.ini error reporting is turned off by default, and only turned on if the client's IP is my own. Instead of on by default and off if the IP isn't mine.

[Azu]

Oh okay thanks I didn't know that turned _GETs into arrays lol. Should be fixed now. =D

[Azu]

Okay.. should be totally fixed now :>

[source]

uhm hi i think i just pwnd ur site..

 

like on every page it says "expecting ending </marquee>"

 

sorry about this

 

roflmaolollercoptter

[Azu]

Not every page just the profile page of the people you sent that marquee message to.

 

I forgot to escape the titles on PM lol. Thanks for finding this. Fixed now =D

[source]

I could not see the main page...

 

 

[Azu]

o_o what error are you getting? Can you tell me how to reproduce it please? I'll try to fix..

[Azu]

Okay so I take it no one has found any more problems?

[Coreye]

Logging in with blank username.

Warning:  stristr() [function.stristr]: Empty delimiter. in E:\htdocs\index.html on line 588

[Coreye]

Site has an error on profile page after entering code into fields.

 

XML Parsing Error: not well-formed

Location: http://freethepenguins.com/

Line Number 1, Column 4909:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

[Azu]

Thanks.. fixed warning

 

What do you enter in the field to make the XML error?

[Coreye]

Thanks.. fixed warning

 

What do you enter in the field to make the XML error?

<BODY ONLOAD=alert('XSS')>

[Azu]

Oops.. forgot to sanitize that on the profile page.. should be working right now ^^ thanks again

[xylex]

You really shouldn't be using IP addresses for user verification in place of using real sessions.  You're going to run into all kinds of issues once you have groups of people using it.  Increasingly more providers (AOL, for example), many colleges, and some cable Internet providers run large groups of user through a single outgoing proxy, so your server would see them all as coming from the same IP address.  With how you currently have it set, everyone in that group is going to be logged in with whomever was the first to go to your site.

[Azu]

Hmm.. I'm not sure of any other secure ways to tell people apart besides IP address. I thought that this was what IP addresses were made for. If not, what should I be going by?

[Aureole]

Sessions, for sure.

[Azu]

Are you trying to be funny?

 

1. They only last until the user closes the browser rofl..

2. There are multiple ways to hijack them without having to actually hack the user's computer

 

 

I need something that is permanent, user specific, and can't be spoofed.

[Aureole]

Sessions can be spoofed, cookies can be spoofed, IP Addresses aren't reliable... (AOL? Corporate/College/School networks?) etc. There is no perfect way to tell user's apart, why do you think people get banned then find a way back again?

 

I guess you could resort to fingerprint and retina scans? Shame the Hardware is too expensive, that'd be perfect...

 

You can set sessions to last for as long as you want (not sure about for ever) and you can make them carry on when the browser closes (see: Gmail) and there are ways to stop hijacking. Hmm I wonder what IPB, vB, PhpBB, SMF etc. use? Oh, yeah - sessions.

 

I wonder what pretty much everything wrote with PHP uses? Oh, yeah - sessions.

 

???

[Azu]

Are you sure? I thought they used persistent cookies.

 

Aren't sessions the little variables that you pass through URLs and if anyone gets access to the URL they can just goto it and then be logged on in that session? Not many good ways to prevent these from being passed to other websites through referrer header.

 

And I know that in some ISPs somebody's address gets changed once in a while, but at least you can't reset it instantly in less then a second by just pressing a hotkey like you can with cookies and sessions ^^ so it's a LITTLE more secure then them I think.

 

If there is something more reliable to go on then please tell me and I will be glad to use it. I can't think of any though. MAC addresses aren't normally sent are easy to spoof anyways, regardless of your ISP. So they would be less secure. And I can't think of anything else that is in any way unique to a user and is sent over the internet.. =\ any thoughts on this would be welcome.

[Aureole]

Sessions don't have to be passed through urls. My site doesn't do that, I believe that's something to do with a setting in php.ini. You're talking about the ?PHPSESSID=... right?

[Azu]

Yes exactly. Isn't that what a session is? So that you can store some data when the user doesn't accept cookies and you don't want to use their internet address?

 

In any case I am trying to find something more secure/permanent/harder to forge then any of these, since at the moment they can all be hacked by the users one way or another (although not so easily/quickly when using IPs).

 

This is kind of getting off topic though. I really doubt that anyone will come up with a feasible way to reliably tell users apart with the state the internet is in right now (all of that DHCP stuff that makes computers' addresses keep changing over and over).

 

I'd really appreciate it if someone would tell me which parts of my site have errors/security problems s that I can try to fix them ^^ I definitely CAN fix those kinds of problems right now..

 

Sorry if I made typos in this, the o and p keys on my keyboard are broke right now so I have to copy and paste them =/