Testing for flaws, please

[helraizer]

http://www.helraizer.co.uk/count/index.php

 

The style/layout of this wasn't my focus, as of yet. Just the comment system.

 

Could you please test it for security flaws?

 

Thanks, Sam

[Coreye]

Cross Site Scripting:

http://www.helraizer.co.uk/count/view_comments.php

 

You can submit HTML code in the email field, comment field, and name field.

 

You can send a blank comment, a blank email, and a blank name.

 

 

 

 

[todding01]

I was able to send a quote and break the SQL query. 

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's see if I can get posted', '21:56 26th November 2007')' at line 1

 

You may want to use htmlspecialchars

[helraizer]

Ok, thanks to my host, .php is php4 by default so I've had to change every link to .php5. So the pages are now

 

www.helraizer.co.uk/count/index.php5

www.helraizer.co.uk/count/view_comments.php5

[Coreye]

When adding a comment you now get;

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''70.246.145', 'a' ,'aa', 'a', '' at line 1

[helraizer]

When adding a comment you now get;

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''70.246.145', 'a' ,'aa', 'a', '' at line 1

 

I know... I kinda brokeded it. Working on it though.

[Coreye]

Submitting ' still causes mySQL errors.

Error sql1 :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '23:52 26th November 2007')' at line 1

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting if a comment contains code.

 

Full Path Disclosure:

http://www.helraizer.co.uk/count/test.php

Fatal error: Call to undefined function: view_source() in /home/sites/helraizer.co.uk/public_html/count/test.php on line 55

 

Full Path Disclosure:

http://www.helraizer.co.uk/count/test1.php

Notice: Undefined index: username in /home/sites/helraizer.co.uk/public_html/count/test1.php on line 78

 

Notice: Undefined index: email in /home/sites/helraizer.co.uk/public_html/count/test1.php on line 79

 

Notice: Undefined index: comment in /home/sites/helraizer.co.uk/public_html/count/test1.php on line 80

 

Notice: Undefined index: submit in /home/sites/helraizer.co.uk/public_html/count/test1.php on line 82

 

Notice: Undefined index: comment in /home/sites/helraizer.co.uk/public_html/count/test1.php on line 83

[helraizer]

Full Path Disclosure:

http://www.helraizer.co.uk/count/test.php

Fatal error: Call to undefined function: view_source() in /home/sites/helraizer.co.uk/public_html/count/test.php on line 55

 

o.o How did you find test.php? Or just a guess? Maybe I should start calling everything obscure names to stop the guessing. I have a feeling that should be 'show_source()'..

 

Now, for whatever reason it posts every message blank.. I'll get working on fixing it.

[helraizer]

Ah. *deletes test1.php* - test1 was the old version, unedited from the results of this beta-testing.

 

Sorry about that

[helraizer]

There is still XSS.

 

The XSS issue should be resolved now.

[helraizer]

Can you also test delete_comment.php (when you post a comment and click to delete it).