Beta Testing Stage.....Gaming Ladder

[Zepo.]

www.eliteladders.com/devlopment/

 

Please report any problems, errors, security issues, ect. please.

Any ideas or comment would be greatly appreciated, if you would like to test the admincp them pm me.

[helraizer]

How do you register? - Sorry.. found out how. =P

 

XSS

http://www.eliteladders.com/devlopment/join.php

[Zepo.]

got it handled

[helraizer]

got it handled

 

Apparently not.

 

Now on every page you get an alert box saying '1', because I included script in my username. I could input javascript from my site, but then no one could again test your site.. So I won't.

 

Also it says 'Error: Your IP address has already been used in this ladder', so I reset my internet connection and was able to make another account, so you probably shouldn't do it by IP.

 

Sam

[Coreye]

Cross Site Scripting:

You can add ">code when adding news.

 

Cross Site Scripting:

You can add ">code when creating groups.

 

You can type in non integers when filling in the position for creating groups.

 

The admin logs page has XSS flaws.

 

You can submit ">code when adding bans.

 

[Zepo.]

Ok XSS completely fixed now, how else would i do that besides ip?

[Coreye]

Ok XSS completely fixed now, how else would i do that besides ip?

 

The administration panel still has XSS flaws.

 

Registration still has XSS flaws.

[Zepo.]

I know, admincp will stay the same for now, what on registration has that?

[Coreye]

I know, admincp will stay the same for now, what on registration has that?

 

When you register you can submit ">code.

 

Looks like you can create multiple accounts which are the same name.

[Zepo.]

How do i fix these xss's?

[helraizer]

How do i fix these xss's?

 

XSS is means that if the user inputs HTML code into your registration field and submit it, it will input that HTML into your source code, thus running what they put in.  So with php there is a function called htmlspecialchars, which means that if you use the code like

 

$user = $_POST['username'];

 

This uses anything the user types in the field, instead you should use:

$user = htmlspecialchars($_POST['username']);

 

This will turn <script> (which can be dangerous) into <script>, which is perfectly harmless. Though the latter doesn't look that nice, so when you pull down the data from the database you should use htmlspecialchars_decode.

 

Hope that helps,

 

Sam

[Zepo.]

I just realized it already does that......but not sure if it works..

 

Heres the code

$team[name]=charecters($team[name]);

 

Heres the function

function charecters($text){
$text=wordwrap($text,100," ",1);
$text=htmlspecialchars("$text");
$text=trim($text);
return($text);
}

[helraizer]

I just realized it already does that......but not sure if it works..

 

Heres the code

$team[name]=charecters($team[name]);

 

Heres the function

function charecters($text){
$text=wordwrap($text,100," ",1);
$text=htmlspecialchars("$text");
$text=trim($text);
return($text);
}

 

take out the the "" in htmlspecialchars("$text");

 

so it'd be

$text = htmlspecialchars($text);

 

Sam

[Zepo.]

KK Lets see if it works now...

[helraizer]

KK Lets see if it works now...

 

It appears to work now. My username was 'helraizer<script>alert(1);</script>' which meant that on everypage /you/ went on an alert box saying '1' would appear. Now that has changed, so it appears to work.

 

Sam

[Zepo.]

Yea it works, thanks =].

[Zepo.]

Further testing?