Picture Collage / Bulletin Board

[kristopherWindsor]

The site is:

 

http://pics.windsorfamilyfarm.com/index.php

 

You can upload a picture here (no registration required):

 

http://pics.windsorfamilyfarm.com/upload.php

 

Each picture has some tags.

The tags are listed on the index page.

If you click on a tag, it will show all the pictures with that tag.

 

The pictures are randomly placed, but should not overlap (unless the aspect ratio causes the JS to miscalculate the height of the picture).

 

I hope it works well.

 

[Coreye]

You can create really long tags that end up stretching the page.

 

You can enter blank inputs for the Author, Tags and Caption fields.

[kristopherWindsor]

You can create really long tags that end up stretching the page.

 

You can enter blank inputs for the Author, Tags and Caption fields.

 

Fixed!

[agentsteal]

Cross Site Scripting:

The image upload is vulnerable to Cross Site Scripting.

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~nobody

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~root

[phpSensei]

Cross Site Scripting:

The image upload is vulnerable to Cross Site Scripting.

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~nobody

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~root

 

Can you explain a little the risk of User Enumeration, and how it can be protected? I am guessing its through htacess, but I would like to know.

 

I never understood it.

 

Sorry for going off topic guys.

[kristopherWindsor]

Cross Site Scripting:

The image upload is vulnerable to Cross Site Scripting.

 

While the spam check is predictable and therefore avoidable, only a bot written for this particular site would get in.

The odds that a random spam bot would enter data of the appropriate lengths, and attach a file, and specify a .jpg file extension, and select the correct 1 of 7 options in the spam bot are very low.

If someone will spend enough time spamming my site with a custom bot, they could just do it in person, and there is no way to stop that.

I suppose if I ever want to offer this page to a large (potentially spamming) audience, I will need to require user registration.

 

User Enumeration:

http://pics.windsorfamilyfarm.com/~root

 

I don't understand what the problem with this is, although it is new to me.

If you go there, it just says, "You don't have permission to access /~root on this server."

If you replace "root" with the name I use for FTP login, it serves the contents from the main http://windsorfamilyfarm.com/ site.

So what is the problem?

It doesn't look like any confidential info is exposed from this.

 

[Coreye]

Cross Site Scripting vulnerabilities have nothing to do with captcha or spamming problems. Cross Site Scripting is commonly known as XSS for short. You should search Google on what can happen if you leave your site open to XSS attacks.

 

As for "User Enumeration" read this: http://www.securityspace.com/smysecure/catid.html?id=10766.

[kristopherWindsor]

Oh, well in that case, how is XSS possible on my site?

All inputs are restricted to a whitelist of characters.

 

I have two user accounts on this server, and their names follow the same naming scheme I have seen on other servers. Meaning, you could guess the user names without trial and error, so the user names are not secret, so this is not a problem. ;-)

[redarrow]

In httpd.conf, set the 'UserDir' to 'disabled'.