Jump to content

Testing my website?

Dragen

By Dragen
in Beta Test Your Stuff!

 Share

Recommended Posts

Dragen Advanced Member

Dragen

Posted
Posted

Hi,

I've just finished a website and am in need of some beta testing to put it through the rigs.

Please don't comment of the design/layout as that is the design the client gave me, I just did the coding.

 

I'm just hoping some people wouldn't mind signing up for an account and stuff to see how it works, any errors etc. I'm sure I've worked through all the kinks though.

 

Here's the site: www.test.gimppro.co.uk

(it's just on a test server for now)

All links in emails sent to a user will link to counterstop.co.uk, so just replace the counterstop part with test.gimppro. Once beta testing is finished it will be on the counterstop domain.

 

 

Also some ideas on how much you think I should charge the client for the website would be good, as it's my first proper job, so I'm a bit unsure.

 

Thanks

 

 

EDIT: forgot to say. The site is for hit counters

Link to comment
Share on other sites
jos. Newbie

jos.

Posted
Posted

there are Five things at the top of the page under the main nav and only 3 of them are links but they look no different then the two that are just text I think  some color or underlining is in order here.

 

It would also be nice if it said something at the top of the page to let you know that you are logged in... it took me a second or two to notice the wording where the login inputs were.

 

I did not have time to mess with the rest of the functionality but what I did try worked.

 

Jos.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

there are Five things at the top of the page under the main nav and only 3 of them are links but they look no different then the two that are just text I think  some color or underlining is in order here.

 

It would also be nice if it said something at the top of the page to let you know that you are logged in... it took me a second or two to notice the wording where the login inputs were.

 

I did not have time to mess with the rest of the functionality but what I did try worked.

 

Jos.

 

Thanks jos. As I said above, I'm not fussed about the layout or colours as I don't really have a say on those parts. I just did the coding and am sticking to my clients layout.

The links at the top, and also the footer links don't work. As well as the terms of agreement link on sign-up. That will be changed, but the client hasn't given me the info to put on the pages yet.

 

 

Ok in registration if i put ' (single quote) in any of the text boxes it come back with add slashes if there is an error

ah, thanks! I'll change that.

Link to comment
Share on other sites
agentsteal Newbie

agentsteal

Posted
Posted

Cross Site Scripting:

There is Cross Site Scripting if the Expect header contains code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on the edit profile pages if the fields contain ">code.

 

Directory Transversal:

http://www.test.gimppro.co.uk/admin/logout.php?p=a/../

 

Drop Down Menu:

If you edit the drop down menus on the edit profile pages you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menus on the create counter page you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menus on the register page you can submit arbitrary values.

 

Full Path Disclosure:

http://www.test.gimppro.co.uk/admin/logout.php?p[]

Warning: htmlentities() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/logout.php on line 18

 

Full Path Disclosure:

http://www.test.gimppro.co.uk/footer.php

Notice: Undefined variable: adbanners in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/footer.php on line 5

 

Fatal error: Call to a member function ad() on a non-object in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/footer.php on line 5

 

Full Path Disclosure:

There is Full Path Disclosure if the cookname cookie is an array.

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 11

 

Full Path Disclosure:

There is Full Path Disclosure if the cookpass cookie is an array.

Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 23

 

Full Path Disclosure:

There is Full Path Disclosure if the PHPSESSID cookie is an array.

Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/header.php on line 4

 

Insecure Cookie:

You shouldn't put the password in the cookie.

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

SQL Error:

Error: cannot connect to database. Incorrect details

please contact the administrator

 

URL Inclusion:

http://www.test.gimppro.co.uk/admin/logout.php?p=http://www.google.com/

 

User Enumeration:

http://www.test.gimppro.co.uk/~root

 

You can log in as any user by setting the cookname and cookpass cookies to their username and password hash.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

There is Cross Site Scripting if you try to register with ">code in the fields.

 

If you edit the drop down menus on the register page you can submit arbitrary values.

 

User Enumeration:

http://www.test.gimppro.co.uk/~root

 

could you explain what you mean please? I thought I was safe from scripting as I enter all database values through mysql_real_escape_string.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

Directory Transversal:

http://www.test.gimppro.co.uk/admin/logout.php?p=a/../

 

Full Path Disclosure:

http://www.test.gimppro.co.uk/admin/logout.php?p[]

Warning: htmlentities() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/logout.php on line 18

 

URL Inclusion:

http://www.test.gimppro.co.uk/admin/logout.php?p=http://www.google.com/

 

There is Cross Site Scripting through the Expect header.

Thanks for pointing that out. I think I've solved that problem. I'm still not quite sure what you were meaning about the inputs on the forms though.

Could you give me an example?

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

Thanks. I think I've just solved the ">code problem.

 

I know I shouldn't really store the username and password in a cookie, but how else can I set a 'remember me' function?

The cookie only gets set if you tick 'remember me' when logging in. I don't know of another way of doing it. I guess I could salt the info.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

The 'resources link doesn't work.

 

Answer:

The links at the top, and also the footer links don't work. As well as the terms of agreement link on sign-up. That will be changed, but the client hasn't given me the info to put on the pages yet.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

okay. I'm gonna leave his topic up as unsolved until saturday evening GMT. After that point, so long as no-one points out any more flaws I'll class it as solved and assume that all bugs are fixed.

 

Can anyone find any more bugs/security problems??

 

thanks

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

Thanks for more feedback!

 

Fixed this one! forgot to run a check.

 

You can log in as another member by changing the cookname and cookpass in the cookie to their username and password hash.

This is partially fixed. Basically the cookie settings have no effect unless session variables aren't set (which should be when you first open the browser), so it keeps users logged in.

Is there a better way of keeping users logged in after browser close?

 

There is Full Path Disclosure if you make cookname in the cookie an Array.

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 11

 

There is Full Path Disclosure if you make cookpass in the cookie an Array.

Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/admin/login.php on line 23

 

There is Full Path Disclosure if you make PHPSESSID in the cookie an Array.

Notice: Array to string conversion in /home/fhlinux172/t/test.gimppro.co.uk/user/htdocs/header.php on line 4

I think I've solved the cookie username and password array problem.

 

I'm not sure if I've fixed the PHPSESSID cookie one though. If you could let me know!

 

Thanks

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

ah sorry. The array problem was a brain fart on my behalf. It should hopefully work now.

 

Some of the pages are saying:

Error: cannot connect to database. Incorrect details

please contact the administrator

hmm.. i thought that'd been fixed. If you reload the page it should be fine, or it'll give you a 500 internal server message...

It's not my fault, it's something to do with my server. My host were looking into it :-\

Link to comment
Share on other sites
Coreye Member

Coreye

Posted
Posted

When I go to http://www.test.gimppro.co.uk/ it sometimes works, but I usually get I get;

Error: cannot connect to database. Incorrect details

please contact the administrator

 

or

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

 

Please contact the server administrator, webmaster@test.gimppro.co.uk and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

People are still getting the database and internal 500 messages? I'm really annoyed with my host right now. I thought it had been fixed.

I'm quite sure it's a problem on the server as the database details are all accurate and there's only one .htaccess file, which wouldn't cause a 500 problem.

 

I'll have another word with them. For now, please just try refreshing the page until it works! Sorry about this! :-\

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.