Dragen Posted December 19, 2007 Share Posted December 19, 2007 Hi, I've just finished a website and am in need of some beta testing to put it through the rigs. Please don't comment of the design/layout as that is the design the client gave me, I just did the coding. I'm just hoping some people wouldn't mind signing up for an account and stuff to see how it works, any errors etc. I'm sure I've worked through all the kinks though. Here's the site: www.test.gimppro.co.uk (it's just on a test server for now) All links in emails sent to a user will link to counterstop.co.uk, so just replace the counterstop part with test.gimppro. Once beta testing is finished it will be on the counterstop domain. Also some ideas on how much you think I should charge the client for the website would be good, as it's my first proper job, so I'm a bit unsure. Thanks EDIT: forgot to say. The site is for hit counters Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/ Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 also.. if you don't want to sign up for an account you can use this password and username: username: testdemo password: testdemo Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418401 Share on other sites More sharing options...
jos. Posted December 19, 2007 Share Posted December 19, 2007 there are Five things at the top of the page under the main nav and only 3 of them are links but they look no different then the two that are just text I think some color or underlining is in order here. It would also be nice if it said something at the top of the page to let you know that you are logged in... it took me a second or two to notice the wording where the login inputs were. I did not have time to mess with the rest of the functionality but what I did try worked. Jos. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418409 Share on other sites More sharing options...
rajivgonsalves Posted December 19, 2007 Share Posted December 19, 2007 Ok in registration if i put ' (single quote) in any of the text boxes it come back with add slashes if there is an error Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418411 Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 there are Five things at the top of the page under the main nav and only 3 of them are links but they look no different then the two that are just text I think some color or underlining is in order here. It would also be nice if it said something at the top of the page to let you know that you are logged in... it took me a second or two to notice the wording where the login inputs were. I did not have time to mess with the rest of the functionality but what I did try worked. Jos. Thanks jos. As I said above, I'm not fussed about the layout or colours as I don't really have a say on those parts. I just did the coding and am sticking to my clients layout. The links at the top, and also the footer links don't work. As well as the terms of agreement link on sign-up. That will be changed, but the client hasn't given me the info to put on the pages yet. Ok in registration if i put ' (single quote) in any of the text boxes it come back with add slashes if there is an error ah, thanks! I'll change that. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418751 Share on other sites More sharing options...
agentsteal Posted December 19, 2007 Share Posted December 19, 2007 Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on the edit profile pages if the fields contain ">code. Directory Transversal: http://www.test.gimppro.co.uk/admin/logout.php?p=a/../ Drop Down Menu: If you edit the drop down menus on the edit profile pages you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on the create counter page you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on the register page you can submit arbitrary values. Full Path Disclosure: http://www.test.gimppro.co.uk/admin/logout.php?p[] Warning: htmlentities() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/logout.php on line 18 Full Path Disclosure: http://www.test.gimppro.co.uk/footer.php Notice: Undefined variable: adbanners in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/footer.php on line 5 Fatal error: Call to a member function ad() on a non-object in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/footer.php on line 5 Full Path Disclosure: There is Full Path Disclosure if the cookname cookie is an array. Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 11 Full Path Disclosure: There is Full Path Disclosure if the cookpass cookie is an array. Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 23 Full Path Disclosure: There is Full Path Disclosure if the PHPSESSID cookie is an array. Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/header.php on line 4 Insecure Cookie: You shouldn't put the password in the cookie. Insecure Cookie: You shouldn't put the username in the cookie. SQL Error: Error: cannot connect to database. Incorrect details please contact the administrator URL Inclusion: http://www.test.gimppro.co.uk/admin/logout.php?p=http://www.google.com/ User Enumeration: http://www.test.gimppro.co.uk/~root You can log in as any user by setting the cookname and cookpass cookies to their username and password hash. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418783 Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 There is Cross Site Scripting if you try to register with ">code in the fields. If you edit the drop down menus on the register page you can submit arbitrary values. User Enumeration: http://www.test.gimppro.co.uk/~root could you explain what you mean please? I thought I was safe from scripting as I enter all database values through mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418795 Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 Directory Transversal: http://www.test.gimppro.co.uk/admin/logout.php?p=a/../ Full Path Disclosure: http://www.test.gimppro.co.uk/admin/logout.php?p[] Warning: htmlentities() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/logout.php on line 18 URL Inclusion: http://www.test.gimppro.co.uk/admin/logout.php?p=http://www.google.com/ There is Cross Site Scripting through the Expect header. Thanks for pointing that out. I think I've solved that problem. I'm still not quite sure what you were meaning about the inputs on the forms though. Could you give me an example? Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418832 Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 Thanks. I think I've just solved the ">code problem. I know I shouldn't really store the username and password in a cookie, but how else can I set a 'remember me' function? The cookie only gets set if you tick 'remember me' when logging in. I don't know of another way of doing it. I guess I could salt the info. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418861 Share on other sites More sharing options...
Dragen Posted December 19, 2007 Author Share Posted December 19, 2007 Just realised I'd only fixed it on the edit settings page, so I've just fixed the registration page. Now I'm about to do the counters page. How is it possible to do similar things with the drop down boxes? Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-418887 Share on other sites More sharing options...
ohdang888 Posted December 20, 2007 Share Posted December 20, 2007 whats the point of loggin in, theres nothing new for members. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-419079 Share on other sites More sharing options...
Dragen Posted December 20, 2007 Author Share Posted December 20, 2007 whats the point of loggin in, theres nothing new for members. try clicking on "control" in the header. I know that layout's not brilliantly clear, but as I've already said, I can't do anything about that. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-419391 Share on other sites More sharing options...
anon Posted December 21, 2007 Share Posted December 21, 2007 The 'resources link doesn't work. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420390 Share on other sites More sharing options...
anon Posted December 21, 2007 Share Posted December 21, 2007 and the FAQ link Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420393 Share on other sites More sharing options...
Dragen Posted December 21, 2007 Author Share Posted December 21, 2007 The 'resources link doesn't work. Answer: The links at the top, and also the footer links don't work. As well as the terms of agreement link on sign-up. That will be changed, but the client hasn't given me the info to put on the pages yet. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420484 Share on other sites More sharing options...
Dragen Posted December 21, 2007 Author Share Posted December 21, 2007 okay. I'm gonna leave his topic up as unsolved until saturday evening GMT. After that point, so long as no-one points out any more flaws I'll class it as solved and assume that all bugs are fixed. Can anyone find any more bugs/security problems?? thanks Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420809 Share on other sites More sharing options...
Dragen Posted December 21, 2007 Author Share Posted December 21, 2007 Thanks for more feedback! Full Path Disclosure: http://www.test.gimppro.co.uk/footer.php Fixed this one! forgot to run a check. You can log in as another member by changing the cookname and cookpass in the cookie to their username and password hash. This is partially fixed. Basically the cookie settings have no effect unless session variables aren't set (which should be when you first open the browser), so it keeps users logged in. Is there a better way of keeping users logged in after browser close? There is Full Path Disclosure if you make cookname in the cookie an Array. Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 11 There is Full Path Disclosure if you make cookpass in the cookie an Array. Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 23 There is Full Path Disclosure if you make PHPSESSID in the cookie an Array. Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/header.php on line 4 I think I've solved the cookie username and password array problem. I'm not sure if I've fixed the PHPSESSID cookie one though. If you could let me know! Thanks Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420855 Share on other sites More sharing options...
Dragen Posted December 21, 2007 Author Share Posted December 21, 2007 ah sorry. The array problem was a brain fart on my behalf. It should hopefully work now. Some of the pages are saying: Error: cannot connect to database. Incorrect details please contact the administrator hmm.. i thought that'd been fixed. If you reload the page it should be fine, or it'll give you a 500 internal server message... It's not my fault, it's something to do with my server. My host were looking into it :-\ Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-420867 Share on other sites More sharing options...
Dragen Posted December 22, 2007 Author Share Posted December 22, 2007 okay.. Agentsteal, or anyone else anything else to add? and is the PHPSESSID one solved? Thanks for all the help! Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-421317 Share on other sites More sharing options...
Coreye Posted December 24, 2007 Share Posted December 24, 2007 When I go to http://www.test.gimppro.co.uk/ it sometimes works, but I usually get I get; Error: cannot connect to database. Incorrect details please contact the administrator or Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@test.gimppro.co.uk and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-422305 Share on other sites More sharing options...
Dragen Posted December 24, 2007 Author Share Posted December 24, 2007 People are still getting the database and internal 500 messages? I'm really annoyed with my host right now. I thought it had been fixed. I'm quite sure it's a problem on the server as the database details are all accurate and there's only one .htaccess file, which wouldn't cause a 500 problem. I'll have another word with them. For now, please just try refreshing the page until it works! Sorry about this! :-\ Link to comment https://forums.phpfreaks.com/topic/82318-testing-my-website/#findComment-422360 Share on other sites More sharing options...
Recommended Posts