Go on - hurt my site! - PHPBuilder Forums

Go on - hurt my site!

dartcol

I've just finished putting together my first site that has a CMS and wanted to see if any of you out there could try to break it (or at least say what you think of it)!

I've done what I reckon I can to safeguard it using html specialchars, addslashes, query checks on users id etc but wondered if any of you fancied a challenge, or even a quiet read (that's what the site is supposed to be about.)

If you have a spare ten minutes or so then go to:http://paperstories.diyartcollective.com/index.php

You'll need to set up a user identity and need ready access to one of your email addresses.

Any other criticism gratefully received. One thing though, the content is still coming, I'm more worried about security at the moment.

Cheers!

goldbug

Turning off Javascript breaks registration.

Note: I've got javascript turned off AND I didn't enter anything into the fields.

goldbug

Same (JS) with changing your password (usercp.php)

Also the password reset form. (gives "blank" page)

goldbug

Not really sure if it can truly be exploited, but say I know someones first name, and their username (assoc/w story)... I could "start" the change password process. (Theres no user check to see if the username of the current user matches the username of the requested password change - stage1)

goldbug

Forgot to mention: looks good. Most of the "easier" attacks I've tried don't get through, which is a good sign. I'm of the opinion that once you block out the easy attacks, it not too key to block out the harder ones (unless it's mission-critical)... it's so much easier to just DDoS the server or whatever (hack webserver, not app)

Also, on hold.php, you need to use nl2br() on the peice display.. it messed up my cow haiku to not have line breaks.

LordShryku

Originally posted by goldbug
it's so much easier to just DDoS the server or whatever (hack webserver, not app)

We'll get to that tomorrow 😃

goldbug

Also, you might want to check the referrer on the form submissions. One can successfully copy the html to a local file, change the form parameters (maxlength and such) and submit to your app using the full url as the action. Couldn't find anything vulnerable to overflow that way (nor did it let me delete another person's story -- good job on that one), but you never know what you might forget to bounds-check or handle. 🙂

goldbug

Originally posted by LordShryku
We'll get to that tomorrow 😃

According to netcraft, "The site paperstories.diyartcollective.com is running Apache/1.3.27 (Unix) PHP/4.3.2 on Linux."

Ahhhhhh, vulns exist (so do newer versions of both of those) 🙂

Of course, the server string could be a fake of course 🙂 My dev server, after all, "is running Sealab on FreeBSD". 🙂 🙂

I'll be good 🙂 🙂

LordShryku

My dev server, after all, "is running Sealab on FreeBSD

That's funny....my dev server is running Linux on Playstation 2 - Copywrite Sony 2000 😃

goldbug

Originally posted by LordShryku
That's funny....my dev server is running Linux on Playstation 2 - Copywrite Sony 2000 😃

Funny thing is, that could very well be real 🙂

LordShryku

Yeah, but it's easier to just fake it. I put Gentoo on my PS2 over the weekend. Still buggy, but I'll get it tuned

goldbug

Awesome. I love Gentoo. In fact, when my new desktop arrives in a couple days, I know I won't even be able to use it for the first two or three, due to immediate reformat + Stage1 install 🙂

LordShryku

Well, in case you have a PS2 to spare, here's the port

http://playstation2-linux.com/projects/gentoo-ps2/

dartcol

Thanks for the input. It's good to get pointers from others who are way ahead of me at this game.

I'll do the n2lbr in hold.php. As for the javascript, hmm, yes, I'd agree that it's limiting for those with it turned off. Maybe I'd better change to displaying an on-screen message. It gets a bit messy though. However, you're right there.

Also, the form submissions - Ah! I forgot that bit. On the case.

There's one thing I don't understand:

Originally posted by goldbug
I'm of the opinion that once you block out the easy attacks, it not too key to block out the harder ones (unless it's mission-critical)... it's so much easier to just DDoS the server or whatever (hack webserver, not app) [/QUOTE]

I'm not particularly sure what this means. Could you explain, please?

The other thing is you mentioned vulnerablities due to the apache server / php version. You say to do new versions. Unfortunately, I have no control over the server (is this what you mean?) Is there anything I can do to safeguard the site better but still using the current config?

Thanks again for the help. I can sleep a little more comfortably now - that's more than 4 hours a night!

LordShryku

I think he's saying that outside of the easy web exploits (javascript, sql injection, sometimes register_globals), if someone really wanted to break your site, it's just easier to bring down the server. Fact, I'd probably skip all of the exploits, nad just go for the server, unless I wanted to screw up your data.

Though...I...uhm....never done anything like that.....yeah....

Moonglobe

i would have thought that goldbug would have pointed out the BLARING misuse of tables for layout in your script 😉

dartcol

Erm...not sure I'm with you... Is this going to be embarrassing? Or are you talking about doing it in css? Let me go do a search for goldbug+tables ...

goldbug

Originally posted by Moonglobe
i would have thought that goldbug would have pointed out the BLARING misuse of tables for layout in your script 😉

Nah, I'm not feeling as vigilant this week. 🙂

Besides, he gets redemption points for using headings, instead of meaningless styled <div>s 🙂

The_Chancer

Looks good...

Just thrown it through
http://validator.w3.org and it did have a few things to say though...

Oh, and the mail has taken a while to get through - whether that is on my part (the server here is dog slow...) or the site - I don't know...

dartcol

It could be the server, it's phpwebhosting. Not a particularly good record recently. Saying that though, when I test it, it's pretty fast but that's on a 8MB (read 300-400kbps real time) ADSL connection.

Thanks for reminding me about w3.org. Next pit stop although I know a lot of the stuff that'll come up like quote marks and id numbers etc. Bit of a poor record with HTML :o !

.I'm still not sure what Moonglobe was talking about ... maybe someone could let me in on it ...