XtremeBB 0.1.1 Released!

**Sir Rusty** · 10-25-2008, 03:57 PM

Hello,

XtremeBB 0.1.1 is released.

Known bugs on XtremeBB 0.1.1:

- Footer (Forum Version doesnt change)

Additions to XtremeBB 0.1.1:

Upgrade Wizard [ADDED]

Bugs fixed:

cp.php? [Fixed]
Copyright link fixed.

----------------------

XtremeBB - A Free Forum Software based on PHP and SQL

**Oldiesmann** · 10-31-2008, 08:02 PM

I see a huge issue here...

Code:

else if (isset($_POST['confirm'])) {
	
	/**
	 * USer wants to delete, so proceed, then exit and return
	 */
	$post_id = $_POST['post_id'];
	
	$check_firstpost = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM ".MYSQL_TABLE_PREFIX."threads 
														WHERE thread_first_post_id='{$post_id}'"));

	if ($check_firstpost[0] != 0) {
		$get_post = mysql_fetch_array(mysql_query("SELECT * FROM ".MYSQL_TABLE_PREFIX."posts WHERE post_id='{$post_id}'"));
		//echo $get_post['post_belongs_to_thread'];
		mysql_query("DELETE FROM ".MYSQL_TABLE_PREFIX."threads 
					WHERE thread_id='{$get_post['post_belongs_to_thread']}'");
		
		mysql_query("DELETE FROM ".MYSQL_TABLE_PREFIX."posts 
					WHERE post_belongs_to_thread='{$get_post['post_belongs_to_thread']}'");
		
		
		
		echo mysql_error();
	}

As far as I can tell, there is absolutely no validation or security check prior to this code. This means a hacker can just create a form that posts to the page, and delete any thread they want, no questions asked.

There are several other problems here as well:
Using a SELECT * to pull the value from a single column
Relying on the ID of the first post in the thread to delete the thread rather than the thread ID
Echoing out mysql_error() without even checking to see if there was an error first

**Sir Rusty** · 10-31-2008, 08:05 PM

You mean theres no CAPTCHA when you post. On the ACP you could control who posts. And in 0.2.0 our main addition will be CAPTCHA ^_^!

**Oldiesmann** · 10-31-2008, 10:45 PM

Captcha has absolutely nothing to do this.

What's to stop me from creating a form like the one I mentioned above and posting a valid post ID to delete.php on your site and deleting any thread I want?

**Sir Rusty** · 11-01-2008, 06:02 PM

Owooo... I see. Okay, I will fix that then... We might not have the best security. I will try and do my best working on security on 0.2.0 ^_^!

10-25-2008, 03:57 PM	#1
Sir Rusty Rookie Join Date: Mar 2008 Location: New York Posts: 24	XtremeBB 0.1.1 Released! Hello, XtremeBB 0.1.1 is released. Known bugs on XtremeBB 0.1.1: - Footer (Forum Version doesnt change) Additions to XtremeBB 0.1.1: Upgrade Wizard [ADDED] Bugs fixed: cp.php? [Fixed] Copyright link fixed. ---------------------- XtremeBB - A Free Forum Software based on PHP and SQL __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. ~~ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

10-31-2008, 08:02 PM	#2
Oldiesmann Member Join Date: Apr 2006 Location: Cincinnati, Ohio Posts: 72	I see a huge issue here... Code: else if (isset($_POST['confirm'])) { /** * USer wants to delete, so proceed, then exit and return / $post_id = $_POST['post_id']; $check_firstpost = mysql_fetch_array(mysql_query("SELECT COUNT() FROM ".MYSQL_TABLE_PREFIX."threads WHERE thread_first_post_id='{$post_id}'")); if ($check_firstpost[0] != 0) { $get_post = mysql_fetch_array(mysql_query("SELECT * FROM ".MYSQL_TABLE_PREFIX."posts WHERE post_id='{$post_id}'")); //echo $get_post['post_belongs_to_thread']; mysql_query("DELETE FROM ".MYSQL_TABLE_PREFIX."threads WHERE thread_id='{$get_post['post_belongs_to_thread']}'"); mysql_query("DELETE FROM ".MYSQL_TABLE_PREFIX."posts WHERE post_belongs_to_thread='{$get_post['post_belongs_to_thread']}'"); echo mysql_error(); } As far as I can tell, there is absolutely no validation or security check prior to this code. This means a hacker can just create a form that posts to the page, and delete any thread they want, no questions asked. There are several other problems here as well: Using a SELECT * to pull the value from a single column Relying on the ID of the first post in the thread to delete the thread rather than the thread ID Echoing out mysql_error() without even checking to see if there was an error first __________________ The Oldiesmann To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Compliance Manager / Marketing Team member To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. - RC1 now available!

10-31-2008, 08:05 PM	#3
Sir Rusty Rookie Join Date: Mar 2008 Location: New York Posts: 24	You mean theres no CAPTCHA when you post. On the ACP you could control who posts. And in 0.2.0 our main addition will be CAPTCHA ^_^! __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. ~~ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

10-31-2008, 10:45 PM	#4
Oldiesmann Member Join Date: Apr 2006 Location: Cincinnati, Ohio Posts: 72	Captcha has absolutely nothing to do this. What's to stop me from creating a form like the one I mentioned above and posting a valid post ID to delete.php on your site and deleting any thread I want? __________________ The Oldiesmann To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Compliance Manager / Marketing Team member To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. - RC1 now available!

11-01-2008, 06:02 PM	#5
Sir Rusty Rookie Join Date: Mar 2008 Location: New York Posts: 24	Owooo... I see. Okay, I will fix that then... We might not have the best security. I will try and do my best working on security on 0.2.0 ^_^! __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. ~~ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
XtremeBB (Forum Software)	Sir Rusty	Software	21	11-16-2009 02:47 PM
XtremeBB 0.1.0 .:Released:.	Sir Rusty	Software	0	09-19-2008 05:57 PM
[IPB News] IP.Blog 1.4.0 Beta 3 Released	Industry News	Invision Power Board	0	04-24-2008 05:40 PM
[MyBB News] MyBB 1.2.10 Released - Maintenance Release	Industry News	Other Software	1	12-01-2007 05:49 PM
High speed desktop Gnome released	shellspeare	Off Topic	0	02-24-2006 08:38 AM