• Welcome to Valhalla Legends Archive.
 

Request for testers...

Started by warz, July 10, 2006, 10:58 AM

Previous topic - Next topic

warz

I've been working on a site a lot lately, and it's got some functionality now. I'm just looking for some people to sign up, activate their account and create some groups. Just some basic stress testing.

I'm aware that the email verification system I've made is a little dirty and rough right now, but bare with it - it's nothing out of the ordinary and it's not done.

I'd appreciate any testers.

http://www.rafm.org/en/

Spht

Had a quick look...

Email uses html without specifying Content-Type: text/html.

These URLs are linked on various pages, but do not exist:
http://www.rafm.org/en/terms.php
http://www.rafm.org/en/editgroup.php
http://www.rafm.org/en/blastemail.php

joingroup.php doesn't verify if gid actually exists.

warz

Quote from: Spht on July 10, 2006, 07:16 PMEmail uses html without specifying Content-Type: text/html.

Ah, maybe thats why my ms exchange email this doesn't display the html properly. I guess hotmail assumes that sometimes, and just displays it using html as it is.

Those broken links are pages I intend to make soon.

As for the joingroup.php problem - wow big problem, cant believe i forgot to require the gid. currently you can join non-existant groups! ive fixed this now. thank you. ill let yall know when i add some other major changes.

rabbit

What kind of injection checks do you do?
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

warz

#4
huh? what do you mean?

rabbit

Well, if someone knew how they could login without an active email, or even a password, by typing the right text in the login box.  If your query is just something like SELECT * FROM `members` WHERE `username` = '$_POST[username]' someone could type ' or 1=1 -- into the login box and be logged in.  There are other more dangerous things that can be done, like someone could obliterate your SQL tables completely.  Security, man!

[edit]
Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

K

Quote from: rabbit on July 12, 2006, 08:53 PM
Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever.

It's possible that php's magic quotes is turned on, which is automatically escaping quotes.  This is dangerous behavior to rely on, though, since magic quotes will be turned off in the next version of php.

rabbit

Not necessarily!  You can call set_magic_quotes_runtime().
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

warz

That's not quite how I handle my POST data. I'm pretty sure I've covered most angles on the user sign in pages. Also, I'm not positive about this, but I doubt that passing something like ' or 1=1' to the form would cause problems with the PHP. If so, that'd be a large large problem and probably render PHP and MySQL very unsafe. I'm sure they thought to make it secure enough to not allow remote users to manually append MySQL modifiers to the end of the queries.

Warrior

Depends on a php.ini setting, it's generally good practice to check for the presence of this variable and sanitize input accordingly.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

rabbit

Even if you don't check for magic quotes, it's usually a good idea (for login names, etc...) to manually check them with regex's.  You're using e-mail as a login, so I'll go with that:

function checkemail($str)
{
$matches = array();

preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-]
[\d\w\/\.+!=#|$?%{^&}*`'~-]*@
[A-Z0-9]
[A-Z0-9.-]{0,61}
[A-Z0-9]\.
[A-Z]{2,6}$/i",
$email,
$matches
);

return isset
}

function is_valid_email_address($email)
{
       $qtext = '[^\\x0d\\x22\\x5c\\x80-\\xff]';
       $dtext = '[^\\x0d\\x5b-\\x5d\\x80-\\xff]';
       $atom = '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.
'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+';

       $quoted_pair = '\\x5c\\x00-\\x7f';
       $domain_literal = "\\x5b($dtext|$quoted_pair)*\\x5d";
       $quoted_string = "\\x22($qtext|$quoted_pair)*\\x22";
       $domain_ref = $atom;
       $sub_domain = "($domain_ref|$domain_literal)";
       $word = "($atom|$quoted_string)";
       $domain = "$sub_domain(\\x2e$sub_domain)*";
       $local_part = "$word(\\x2e$word)*";
       $addr_spec = "$local_part\\x40$domain";

       return preg_match("!^$addr_spec$!", $email) ? 1 : 0;
   }
I pulled both off of php.net's preg_match function page, but the first wasn't a function.  Basically, you should check the user input before you get anywhere close to using what they give you in an SQL query.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

Warrior

Well yea, didn't read the part about the email as authentication. You can even go a step further and authenticate the email's host. Of course that's only if you're a real hardass.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

rabbit

Or anal about that sort of thing...

Anyway, it's best to ensure magic quotes are on, regardless of other checks you (should be doing) use.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

warz

Hm. Well, I'll check that out. I do use that email check function found on the php.net page. I've been lazy lately and the production on that site has slowed down a lot. lol.