Author Topic: Feature Requests (Read 3940 times)

rivereye · « **on:** December 10, 2006, 03:19:00 pm »

Things you would like to see in Rivereye CMS? Post about it here.

DJ Omnimaga · « **Reply #1 on:** December 10, 2006, 03:40:00 pm »

make sure to make it secure first before adding features

elfprince13 · « **Reply #2 on:** December 10, 2006, 04:04:00 pm »

'tis quite secure at the moment from what Ive tested.

DJ Omnimaga · « **Reply #3 on:** December 10, 2006, 04:19:00 pm »

yeah usually this is when there is features being added that we need to be more careful

rivereye · « **Reply #4 on:** December 11, 2006, 02:38:00 am »

yeah, please, whenever something gets added, test the security of it.

DJ Omnimaga · « **Reply #5 on:** December 11, 2006, 02:43:00 am »

how would u do that tho? o.o

sorry but i don't know really how to hack :wacko:

(j/k but you get the idea

)

rivereye · « **Reply #6 on:** December 11, 2006, 05:11:00 am »

yeah, that is something I should learn on how to do also. Maybe elfprince13 can go through the stuff he does for us so A. I can fight it early, and B. I can test it also, as can more of us.

KermMartian · « **Reply #7 on:** December 11, 2006, 06:52:00 am »

I'll do the standard Type 0/1/2 XSS, SQLI, etc testing on it for you.

DJ Omnimaga · « **Reply #8 on:** December 12, 2006, 03:10:00 am »

wtf is that kerm? :gah:

elfprince13 · « **Reply #9 on:** December 12, 2006, 05:32:00 pm »

kk,

here's the routine:
JSI (pretty much impossible with the setup I explained to rivereye)
SQLI (pretty much impossible assuming he cleans properly--riv: I gave you my cleaning function right?)
XSS: pretty much impossible with what he has now, this will be the biggy to keep an eye on.

KermMartian · « **Reply #10 on:** December 13, 2006, 04:11:00 am »

QuoteBegin-xlibman+12 Dec, 2006, 9:1-->

QUOTE (xlibman @ 12 Dec, 2006, 9:10)

wtf is that kerm? :gah:

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

DJ Omnimaga · « **Reply #11 on:** December 13, 2006, 04:37:00 am »

QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->

QUOTE (KermMartian @ 13 Dec, 2006, 10:11)

QuoteBegin-xlibman+12 Dec, 2006, 9:1-->

QUOTE (xlibman @ 12 Dec, 2006, 9:10)

wtf is that kerm? :gah:

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

wtf is that kerm? :gah:

rivereye · « **Reply #12 on:** December 13, 2006, 10:49:00 am »

elf, I don't think I have that stuff from you. Also, you are more than free to look at the source (and if any one else wants it, things could probably worked out in some way or another).

KermMartian · « **Reply #13 on:** December 14, 2006, 08:41:00 am »

QuoteBegin-xlibman+13 Dec, 2006, 10:37-->

QUOTE (xlibman @ 13 Dec, 2006, 10:37)

QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->

QUOTE (KermMartian @ 13 Dec, 2006, 10:11)

QuoteBegin-xlibman+12 Dec, 2006, 9:1-->

QUOTE (xlibman @ 12 Dec, 2006, 9:10)

wtf is that kerm? :gah:

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

wtf is that kerm? :gah:

It makes bad stuff happen to the server and database.

elfprince13 · « **Reply #14 on:** December 14, 2006, 01:39:00 pm »

QuoteBegin-KermMartian+14 Dec, 2006, 14:41-->

QUOTE (KermMartian @ 14 Dec, 2006, 14:41)

QuoteBegin-xlibman+13 Dec, 2006, 10:37-->

QUOTE (xlibman @ 13 Dec, 2006, 10:37)

QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->

QUOTE (KermMartian @ 13 Dec, 2006, 10:11)

QuoteBegin-xlibman+12 Dec, 2006, 9:1-->

QUOTE (xlibman @ 12 Dec, 2006, 9:10)

wtf is that kerm? :gah:

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

wtf is that kerm? :gah:

It makes bad stuff happen to the server and database.

here's a summary of some general hacking techniques (without instructions...primarily for website defacements, but remote code execution can be a problem as well):

XSS allows hackers to insert their own code into a webpage, this comes in a huge variety of forms, forums, and any sort of messaging system tends to be vulnerable.

SQL injections allows hackers to manipulate the database at will and occasionally even execute arbitrary code on the server.

Javascript Injections are typically used for cookie stealing in conjunction with XSS, or for escalation of permissions.

other bad things that can happen:

using upload forms to overwrite files.

using download forms to view sourcecode that shouldn't be viewed.

----------------------

@rivereye: here's the code you need that will remove the risk of SQL injections entirely, you should also call strip_tags() on any data that there is any chance of ever being displayed.

c1

-->

CODE

ec1 // mysql_query() wrapper. takes two arguments. first

Logged

Print

Pages: [1] 2 Go Up

« previous next »