holiks Posted December 7, 2007 Share Posted December 7, 2007 Fair Slice.... A small project I found laying around that I started some time ago and never finished. So some nights ago decided to picked up on it again and these are the results thus far. I guess in short one can say it's a sorta media publishing, socializing, Would appreciate any comments, suggestions, questions, criticisms, sarcasm etc www.fairslice.com http://www.fairslice.com ...tia... Link to comment Share on other sites More sharing options...
agentsteal Posted December 8, 2007 Share Posted December 8, 2007 Full Path Disclosure: There is Full Path Disclosure if you set the PHPSESSID cookie to an invalid value. Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/content/t/h/e/thekenchow/html/index.php on line 11 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/t/h/e/thekenchow/html/index.php:11) in /home/content/t/h/e/thekenchow/html/index.php on line 11 Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Full Path Disclosure: There is Full Path Disclosure on http://www.fairslice.com/index.php?dest=search if a search contains an invalid character. Fatal error: Call to undefined function: str_ireplace() in /home/content/t/h/e/thekenchow/html/search.php on line 375 Link to comment Share on other sites More sharing options...
helraizer Posted December 8, 2007 Share Posted December 8, 2007 I tried to register a 26 character username and a 4 character pass and it came up with an error saying "username OR password cannot exceed 32 characters".. ? Link to comment Share on other sites More sharing options...
holiks Posted December 8, 2007 Author Share Posted December 8, 2007 There is Full Path Disclosure if you set PHPSESSID in the cookie to an invalid value. Tried a quick fix and there should be no path disclosure anymore. Just an Error page.....for now. Thanks. Link to comment Share on other sites More sharing options...
holiks Posted December 8, 2007 Author Share Posted December 8, 2007 Fatal error: Call to undefined function: str_ireplace() in /home/content/t/h/e/thekenchow/html/search.php on line 375 I'm not sure why this function is undefined here. I can't seem to reproduce it. Thanks though. Link to comment Share on other sites More sharing options...
holiks Posted December 8, 2007 Author Share Posted December 8, 2007 I tried to register a 26 character username and a 4 character pass and it came up with an error saying "username OR password cannot exceed 32 characters".. ? The code has been changed to reflect the fact that usernames and passwords can only contain letters and numbers. Thank you. Link to comment Share on other sites More sharing options...
holiks Posted December 8, 2007 Author Share Posted December 8, 2007 Oh and BTW I really appreciate the input on security....always useful...and I see many posts in this section even requesting it. But feel free to speak on other aspects...your overall view of the site, functionality, design etc. Link to comment Share on other sites More sharing options...
Coreye Posted December 8, 2007 Share Posted December 8, 2007 MySQL Error: http://www.fairslice.com/index.php?dest=members&page=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-15, 15' at line 1 Full Path Disclosure: ]http://www.fairslice.com/index.php?dest=members&page[] Fatal error: Unsupported operand types in /home/content/t/h/e/thekenchow/html/memberlist.php on line 53 You can add comments to a users profiles that doesn't exist. http://www.fairslice.com/index.php?dest=members&act=memberview&objectid=0 Link to comment Share on other sites More sharing options...
Coreye Posted December 8, 2007 Share Posted December 8, 2007 Full Path Disclosure: http://www.fairslice.com/index.php?dest=requests&act=addmem&mem=1 Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 5 in /home/content/t/h/e/thekenchow/html/requests.php on line 10 When adding a calender event you can submit non integers into the year field. You can view others private messages. Link to comment Share on other sites More sharing options...
holiks Posted December 8, 2007 Author Share Posted December 8, 2007 thank you Coreye. These should all now be fixed. Not beautified.....but hot-fixed. Link to comment Share on other sites More sharing options...
holiks Posted December 9, 2007 Author Share Posted December 9, 2007 Oh and BTW I really appreciate the input on security....always useful...and I see many posts in this section even requesting it. But feel free to speak on other aspects...your overall view of the site, functionality, design etc. This just couldn't be all...or could it? ....baaah humbug ..i think the video/audio - upload/playing works pretty well, though not sure of the efficiency of the code (/me thinks code could smaller and faster ) .it pretty much stores a temporary file for download by user, which was originally pulled from a...well mysqldb. Yes I went the way of storing pretty much all media (music/video/pics) into the db with a "garbage cleanup" performed ever so often (in case, for some reason the client needs to retry their request within a short period of time). [-edit-] Oh btw please excuse my above post about aesthetic comments...for my eyes have jst discovered the Critique forum Link to comment Share on other sites More sharing options...
Recommended Posts