|
|
Post by ohad258 on Mar 25, 2011 23:19:52 GMT 1
guides4all.info/edititIn this website you can make your own signture that people can edit it. there isnt admin panel yet and contact form. tommorow i will make them. Programmed and Designed by Me (Ohad Peled) enjoy zombies.. 
|
|
|
|
Post by Charlie on Mar 26, 2011 0:56:47 GMT 1
I didn't like it, my browser kept transferring me to various Advertising sites. Your website is far beyond complete.  |
|
|
|
Post by Comu on Mar 26, 2011 7:26:05 GMT 1
Big mistake at your registration system! Your database could've been down already, but I just wanted to show you: My name with which I registered: <script>alert('XSS by Comu')</script> If you now open the edit_page.php it's loading the info from the database if I got it correct.. A bad bad thing as you didn't escape them as registration. So if you open guides4all.info/editit/edit_page.php?id=16 (my edit page) you'll automatically get the XSS. You can fix it with trim() or even better mysql_real_escape_string() before writing it into the DB However, you can access the edit-page even if its not your account. It says changes saved successfully, but nothing changed. |
|
|
|
Post by ohad258 on Mar 26, 2011 9:11:10 GMT 1
i'll fix it. tnx
i removed the ads.
XSS - fixed
look at your signture and you will see that the change has successfull!
and comu this is the idea. that everyone can change you signture.
|
|
|
|
Post by reality on Mar 26, 2011 11:14:28 GMT 1
Why didnt you add to the poll the answer "no". I bet 2000 people would vote on that one.
|
|
|
|
Post by ohad258 on Mar 26, 2011 11:27:01 GMT 1
Why didnt you add to the poll the answer "no". I bet 2000 people would vote on that one. become mature dude one more thing for all: criticize the idea and not the programming and all this shit please. |
|
|
|
Post by makeveli on Mar 26, 2011 19:15:13 GMT 1
Big mistake at your registration system! Your database could've been down already, but I just wanted to show you: My name with which I registered: <script>alert('XSS by Comu')</script> If you now open the edit_page.php it's loading the info from the database if I got it correct.. A bad bad thing as you didn't escape them as registration. So if you open guides4all.info/editit/edit_page.php?id=16 (my edit page) you'll automatically get the XSS. You can fix it with trim() or even better mysql_real_escape_string() before writing it into the DB However, you can access the edit-page even if its not your account. It says changes saved successfully, but nothing changed. That's like Chineese for me  Why didnt you add to the poll the answer "no". I bet 2000 people would vote on that one. Lol'd  |
|
