Jump to content

Please check my security


Azu

Recommended Posts

Hello,

I'm making a site for World of Warcraft.

 

It's not even close to being finished yet, but could somebody please tell me if there are any security problems or bugs in it? I want to fix any before I focus on adding more functionality.

And also if part of it is ugly/bad please tell me what's wrong so I can try to improve it. ^_^

 

http://freethepenguins.com/

Link to comment
Share on other sites

Suggestions ;)

Could you make this site little broad.

It takes time to find the thing looking for..

And I can see my password... LOL... even my friend saw it..

 

Can you keep small Icons near the links...

 

Only suggestions, didn't have time to check,,, will see it later...

 

And from where do we register ???

 

 

Link to comment
Share on other sites

Hi, thanks for the feedback.

 

About the password; you can only see it as you are typing it in to make a new account or login. I put it like this because people kept complaining about accidentally putting in the wrong password, even WITH the pass confirmation thing..

 

And you register right there on the main page, just fill out all the fields. If you already have an account and want to login just fill out name/password.

 

I'll think about putting some icons on the the links.. thanks for the suggestion! :D

Link to comment
Share on other sites

Array:

http://www.freethepenguins.com/a[]

 

Array:

http://www.freethepenguins.com/t=1&c[]

 

Drop Down Menu:

If you edit the drop down menus on http://www.freethepenguins.com/fsearch=a you can submit arbitrary values.

 

Full Path Disclosure:

Parse error: syntax error, unexpected ')' in E:\htdocs\index.html on line 2172
Link to comment
Share on other sites

Thanks for the bug reports ^^

 

I'm not sure why links with [] in them are putting "Array" in the search box.. any ideas?

 

And can you please tell me how to reproduce the full path disclosure?

 

Also what is the problem with the drop down menus there? I think I have all of the input on it escaped.. if not please give example..

 

 

 

Edit: I think I got the path disclosure fixed. I changed it so in the php.ini error reporting is turned off by default, and only turned on if the client's IP is my own. Instead of on by default and off if the IP isn't mine.

Link to comment
Share on other sites

  • 1 month later...

You really shouldn't be using IP addresses for user verification in place of using real sessions.  You're going to run into all kinds of issues once you have groups of people using it.  Increasingly more providers (AOL, for example), many colleges, and some cable Internet providers run large groups of user through a single outgoing proxy, so your server would see them all as coming from the same IP address.  With how you currently have it set, everyone in that group is going to be logged in with whomever was the first to go to your site.

Link to comment
Share on other sites

Are you trying to be funny?

 

1. They only last until the user closes the browser rofl..

2. There are multiple ways to hijack them without having to actually hack the user's computer

 

 

I need something that is permanent, user specific, and can't be spoofed.

Link to comment
Share on other sites

Sessions can be spoofed, cookies can be spoofed, IP Addresses aren't reliable... (AOL? Corporate/College/School networks?) etc. There is no perfect way to tell user's apart, why do you think people get banned then find a way back again?

 

I guess you could resort to fingerprint and retina scans? :P Shame the Hardware is too expensive, that'd be perfect...

 

You can set sessions to last for as long as you want (not sure about for ever) and you can make them carry on when the browser closes (see: Gmail) and there are ways to stop hijacking. Hmm I wonder what IPB, vB, PhpBB, SMF etc. use? Oh, yeah - sessions.

 

I wonder what pretty much everything wrote with PHP uses? Oh, yeah - sessions.

 

???

Link to comment
Share on other sites

Are you sure? I thought they used persistent cookies.

 

Aren't sessions the little variables that you pass through URLs and if anyone gets access to the URL they can just goto it and then be logged on in that session? Not many good ways to prevent these from being passed to other websites through referrer header.

 

And I know that in some ISPs somebody's address gets changed once in a while, but at least you can't reset it instantly in less then a second by just pressing a hotkey like you can with cookies and sessions ^^ so it's a LITTLE more secure then them I think.

 

If there is something more reliable to go on then please tell me and I will be glad to use it. I can't think of any though. MAC addresses aren't normally sent are easy to spoof anyways, regardless of your ISP. So they would be less secure. And I can't think of anything else that is in any way unique to a user and is sent over the internet.. =\ any thoughts on this would be welcome.

Link to comment
Share on other sites

Yes exactly. Isn't that what a session is? So that you can store some data when the user doesn't accept cookies and you don't want to use their internet address?

 

In any case I am trying to find something more secure/permanent/harder to forge then any of these, since at the moment they can all be hacked by the users one way or another (although not so easily/quickly when using IPs).

 

This is kind of getting off topic though. I really doubt that anyone will come up with a feasible way to reliably tell users apart with the state the internet is in right now (all of that DHCP stuff that makes computers' addresses keep changing over and over).

 

I'd really appreciate it if someone would tell me which parts of my site have errors/security problems s that I can try to fix them ^^ I definitely CAN fix those kinds of problems right now..

 

Sorry if I made typos in this, the o and p keys on my keyboard are broke right now so I have to copy and paste them =/

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.