scarhand Posted December 4, 2007 Share Posted December 4, 2007 i wrote a shoutbox a while ago that had lots of flaws i rewrote most of the code and added advanced validation please test it out: http://diondesign.net/sbxr/ i will PM the admin password to the first few people who post willing to help thank you for your time Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/ Share on other sites More sharing options...
Coreye Posted December 4, 2007 Share Posted December 4, 2007 You can submit less then two characters in the username and message. You can submit blank usernames and messages. Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406203 Share on other sites More sharing options...
neoform Posted December 4, 2007 Share Posted December 4, 2007 It wordwrapped a url i entered. Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406209 Share on other sites More sharing options...
helraizer Posted December 4, 2007 Share Posted December 4, 2007 You can submit as many posts at any one time as you want. You should try and limit that number. Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406214 Share on other sites More sharing options...
scarhand Posted December 4, 2007 Author Share Posted December 4, 2007 fixed the blank message and name being posted and its supposed to wrap after a user-specifed length of characters so that no horizontal scrolling needs to happen Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406220 Share on other sites More sharing options...
helraizer Posted December 4, 2007 Share Posted December 4, 2007 fixed the blank message and name being posted and its supposed to wrap after a user-specifed length of characters so that no horizontal scrolling needs to happen Is AJAX behind all this or php? Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406226 Share on other sites More sharing options...
scarhand Posted December 4, 2007 Author Share Posted December 4, 2007 fixed the blank message and name being posted and its supposed to wrap after a user-specifed length of characters so that no horizontal scrolling needs to happen Is AJAX behind all this or php? javascript does basic validation php checks again before inserting into db Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406232 Share on other sites More sharing options...
neoform Posted December 4, 2007 Share Posted December 4, 2007 Well if you want to send a URL, it'll put spaces in it. Maybe try linking the url and the link text to be just the domain name instead? Would be more user friendly.. Also, I noticed it blinking a lot, like it was refreshing the screen every half second or something. Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406233 Share on other sites More sharing options...
scarhand Posted December 4, 2007 Author Share Posted December 4, 2007 Well if you want to send a URL, it'll put spaces in it. Maybe try linking the url and the link text to be just the domain name instead? Would be more user friendly.. Also, I noticed it blinking a lot, like it was refreshing the screen every half second or something. it autorefreshes every 2 seconds but in IE and firefox it does not "blink" the admin password is "phpfreak" please dont change it once i get all the bugs fixed i will post the source code for you guys to check out Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406234 Share on other sites More sharing options...
agentsteal Posted December 4, 2007 Share Posted December 4, 2007 Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Maximum name length field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Number of shouts to display field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Maximum shout length field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Add a space in words longer than (chars) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Main text color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Main text font family field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Main text font size (pt) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Shoutboxer border color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Shoutboxer border size (px) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Header writing field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Header background color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Header text color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Shout button value field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Main form background color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Form input background color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Form input border color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Form input border size (px) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Form input text color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the First shout row background color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Alternating shout row background color (hex) field contains ">code. Cross Site Scripting: There is Cross Site Scripting in the admin panel if the Ban notification text color (hex) field contains ">code. Drop Down Menu: If you edit the Order drop down menus you can submit arbitrary values. Drop Down Menu: If you edit the Sort by drop down menus you can submit arbitrary values. Full Path Disclosure: There is Full Path Disclosure if the Order drop down menu contains an invalid value. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/sbxr/admin/index.php on line 1257 Full Path Disclosure: There is Full Path Disclosure if the Sort by drop down menu contains an invalid value. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/sbxr/admin/index.php on line 1257 Maximum Length: If you edit the input boxes in the admin panel you can submit values that are longer than the maximum lengths. User Enumeration: http://www.diondesign.net/~kjdion Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406243 Share on other sites More sharing options...
scarhand Posted December 4, 2007 Author Share Posted December 4, 2007 hey agentsteal i reset the password so you may have got kicked off, the pass is now admin123 i just made it so that you can not shout the exact same thing 2 times in a row to prevent some spam working on the stuff agentsteal posted now Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406246 Share on other sites More sharing options...
scarhand Posted December 4, 2007 Author Share Posted December 4, 2007 ok i fixed everything except for user enumeration Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-406266 Share on other sites More sharing options...
scarhand Posted December 7, 2007 Author Share Posted December 7, 2007 you can get the source code here: http://diondesign.net/products.php thanks for the help Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-408887 Share on other sites More sharing options...
helraizer Posted December 7, 2007 Share Posted December 7, 2007 As people have shown in your demo shoutbox you can still curse in capital letters. So in your code in get.php, just change line 82 $data = str_replace($badwords[$i], $censored, $data); to $data = str_ireplace($badwords[$i], $censored, $data); and it'll be fixed. Sam Link to comment https://forums.phpfreaks.com/topic/80148-break-my-new-shoutbox/#findComment-409268 Share on other sites More sharing options...
Recommended Posts