ttye0
Moderator
Posts: 107
|
 Title: Bug Fix - Script Insertion |
 Posted on: 2009-08-20 08:08:23
 Quote
|
Thanks to kiyoura a security issue on the forum has been brought to my attention. The bug was obvious and it is clear to me that the security of the forum is in need of review. In regard to the security issue, it was simply that any user could inject malicious script tags into their signatures. The issue is believed to be resolved and further action is going to be taken in the very near future to better protect the security of the forums.
Thank you for bringing the issue to my attention kiyoura, intentional or not. I took the liberty of replacing your user signature with something more fitting.
__________________________________________
CPU: AMD Athlon 64 3700+ Socket 939 1 MB Cache
Motherboard: A8N-SLI Premium
RAM: 3 GB DDR DIMM
|
|
Back to top |
   
 
|
kiyoura
Kibitzer
Posts: 14
|
|
Reply posted: 2009-08-24 11:42:08 |
Quote
|
Just run all user-input through htmlspecialchars('string here', ENT_QUOTES);
sql through mysql_real_escape_string, if not PDO
you hold PLAINTEXT username and passwords in cookies, that's how i got your password. Use hashes and check against those instead of plaintext...
uhh you might have magic quotes/global variables on, turn both of those off.
other than maybe session handling, rfi/lfi checking, sanitizing GET and POST request, you're good to go.\
I recommend this: http://www.phpfreaks.com/tutorial/php-security
Last Edited: 08-24-09 11:44
__________________________________________
I like little boys. I have photos of some at http://aerosecurity.net
|
|
Back to top |
|
optedoblivion
Kibitzer
Posts: 8
|
|
Reply posted: 2009-09-22 09:22:31 |
Quote
|
You are never safe ttye0.........I'll get you next time gadget!
|
|
Back to top |
|
|
|
Reply