dbillings Posted September 17, 2007 Share Posted September 17, 2007 I've made an easy to configure and install login system with php. It has a configure file that initially needs edited then a setup.php page to run that creates a mysql table. Then you are off and running with a few includes. It has features like super admins, 4 levels of security, lists users currently online, ability to modify users access easily and it requires no programming knowledge to use. dennisbillings.com/projects.php Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/ Share on other sites More sharing options...
dbillings Posted September 17, 2007 Author Share Posted September 17, 2007 Really never looked in this forum before and didn't know it was a hack my site into oblivion kind of thing. So we'll see what happens I suppose. Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-349816 Share on other sites More sharing options...
agentsteal Posted September 17, 2007 Share Posted September 17, 2007 Admin Access: Regular users can set admin privileges and make themselves admin. Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting if you submit code in the drop down menu on http://www.dennisbillings.com/calphalon/daysoff.php. Cross Site Scripting: There is Cross Site Scripting on http://www.dennisbillings.com/addimages.php. Cross Site Scripting: There is Cross Site Scripting on http://www.dennisbillings.com/allquotes.php. Cross Site Scripting: There is Cross Site Scripting on http://www.dennisbillings.com/blog.php. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Drop Down Menu: If you edit the drop down menu on http://www.dennisbillings.com/calphalon/daysoff.php you can submit arbitrary values. Full Path Disclosure: http://www.dennisbillings.com/adminquoteeditor.php?id Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/www/Devendea/quoteeditor.php on line 29 Full Path Disclosure: http://www.dennisbillings.com/music.php?pmmsid[] Warning: Illegal offset type in /home/www/Devendea/videos.php on line 113 Full Path Disclosure: http://www.dennisbillings.com/projects.php?dl[] Warning: basename() expects parameter 1 to be string, array given in /home/www/Devendea/count_clicks.php on line 29 Warning: Cannot modify header information - headers already sent by (output started at /home/www/Devendea/count_clicks.php:29) in /home/www/Devendea/count_clicks.php on line 29 Full Path Disclosure: There is Full Path Disclosure in the calendar. Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 13827 in /home/www/Devendea/calphalon/explore.php on line 69 Includes Directory: http://www.dennisbillings.com/login/ Null User: You can register a null username. SQL Injection: http://www.dennisbillings.com/adminquoteeditor.php?id=1 AND 1=1 http://www.dennisbillings.com/adminquoteeditor.php?id=1 AND 1=2 User Enumeration: http://www.dennisbillings.com/~admin User Enumeration: http://www.dennisbillings.com/~Devendea User Enumeration: http://www.dennisbillings.com/~root Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-349877 Share on other sites More sharing options...
dbillings Posted September 18, 2007 Author Share Posted September 18, 2007 would php's strip tags be a good solution to stop cross site scripting? Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-350224 Share on other sites More sharing options...
dbillings Posted September 18, 2007 Author Share Posted September 18, 2007 or htmlspecialchars Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-350226 Share on other sites More sharing options...
dbillings Posted September 18, 2007 Author Share Posted September 18, 2007 I can block the full path disclosure by getting rid of my error reporting. I can stop the sql injections by creating better $_GET validation. I should use htmlspecialchars() on all my form data. How do I rid myself of the user enumeration problem and how did you give yourself admin privileges? Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-350239 Share on other sites More sharing options...
dbillings Posted September 18, 2007 Author Share Posted September 18, 2007 I'm not sure if the admin privileges access was broken before you were working your magic or not. Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-350246 Share on other sites More sharing options...
dbillings Posted October 2, 2007 Author Share Posted October 2, 2007 Updated EZ_login ver. 10.1.2007 Includes features: IP banning, users online display, Super_admins, 4 security levels with easy clickable adjustments. Demo version registers users with admin privilages. check it out at http://www.dennisbillings.com//projects.php Link to comment https://forums.phpfreaks.com/topic/69614-object-based-feature-rich-login/#findComment-359730 Share on other sites More sharing options...
Recommended Posts