Jump to content

Picture Collage / Bulletin Board

kristopherWindsor

By kristopherWindsor
in Beta Test Your Stuff!

 Share

Recommended Posts

kristopherWindsor Newbie

kristopherWindsor

Posted
Posted

The site is:

 

http://pics.windsorfamilyfarm.com/index.php

 

You can upload a picture here (no registration required):

 

http://pics.windsorfamilyfarm.com/upload.php

 

Each picture has some tags.

The tags are listed on the index page.

If you click on a tag, it will show all the pictures with that tag.

 

The pictures are randomly placed, but should not overlap (unless the aspect ratio causes the JS to miscalculate the height of the picture).

 

I hope it works well. ;)

 

Link to comment
https://forums.phpfreaks.com/topic/91355-picture-collage-bulletin-board/
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

Cross Site Scripting:

The image upload is vulnerable to Cross Site Scripting.

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~nobody

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~root

 

Can you explain a little the risk of User Enumeration, and how it can be protected? I am guessing its through htacess, but I would like to know.

 

I never understood it.

 

Sorry for going off topic guys.

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted
Cross Site Scripting:

The image upload is vulnerable to Cross Site Scripting.

 

While the spam check is predictable and therefore avoidable, only a bot written for this particular site would get in.

The odds that a random spam bot would enter data of the appropriate lengths, and attach a file, and specify a .jpg file extension, and select the correct 1 of 7 options in the spam bot are very low.

If someone will spend enough time spamming my site with a custom bot, they could just do it in person, and there is no way to stop that.

I suppose if I ever want to offer this page to a large (potentially spamming) audience, I will need to require user registration.

 

 

I don't understand what the problem with this is, although it is new to me. ;)

If you go there, it just says, "You don't have permission to access /~root on this server."

If you replace "root" with the name I use for FTP login, it serves the contents from the main http://windsorfamilyfarm.com/ site.

So what is the problem?

It doesn't look like any confidential info is exposed from this.

 

:)

Coreye Member

Coreye

Posted
Posted

Cross Site Scripting vulnerabilities have nothing to do with captcha or spamming problems. Cross Site Scripting is commonly known as XSS for short. You should search Google on what can happen if you leave your site open to XSS attacks.

 

As for "User Enumeration" read this: http://www.securityspace.com/smysecure/catid.html?id=10766.

kristopherWindsor Newbie

kristopherWindsor

Posted
  • Author
Posted

Oh, well in that case, how is XSS possible on my site?

All inputs are restricted to a whitelist of characters.

 

I have two user accounts on this server, and their names follow the same naming scheme I have seen on other servers. Meaning, you could guess the user names without trial and error, so the user names are not secret, so this is not a problem. ;-)

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.