Omnimaga

General Discussion => Technology and Development => Web Programming and Design => Topic started by: rivereye on December 10, 2006, 03:19:00 pm

Title: Feature Requests
Post by: rivereye on December 10, 2006, 03:19:00 pm

Things you would like to see in Rivereye CMS? Post about it here.

Title: Feature Requests
Post by: DJ Omnimaga on December 10, 2006, 03:40:00 pm

make sure to make it secure first before adding features ;)

Title: Feature Requests
Post by: elfprince13 on December 10, 2006, 04:04:00 pm

'tis quite secure at the moment from what Ive tested.

Title: Feature Requests
Post by: DJ Omnimaga on December 10, 2006, 04:19:00 pm

yeah usually this is when there is features being added that we need to be more careful

Title: Feature Requests
Post by: rivereye on December 11, 2006, 02:38:00 am

yeah, please, whenever something gets added, test the security of it.

Title: Feature Requests
Post by: DJ Omnimaga on December 11, 2006, 02:43:00 am

how would u do that tho? o.o sorry but i don't know really how to hack :wacko: (j/k but you get the idea :D )

Title: Feature Requests
Post by: rivereye on December 11, 2006, 05:11:00 am

yeah, that is something I should learn on how to do also. Maybe elfprince13 can go through the stuff he does for us so A. I can fight it early, and B. I can test it also, as can more of us.

Title: Feature Requests
Post by: KermMartian on December 11, 2006, 06:52:00 am

I'll do the standard Type 0/1/2 XSS, SQLI, etc testing on it for you.

Title: Feature Requests
Post by: DJ Omnimaga on December 12, 2006, 03:10:00 am

wtf is that kerm? :gah:

Title: Feature Requests
Post by: elfprince13 on December 12, 2006, 05:32:00 pm

kk,

here's the routine:
JSI (pretty much impossible with the setup I explained to rivereye)
SQLI (pretty much impossible assuming he cleans properly--riv: I gave you my cleaning function right?)
XSS: pretty much impossible with what he has now, this will be the biggy to keep an eye on.

Title: Feature Requests
Post by: KermMartian on December 13, 2006, 04:11:00 am

QuoteBegin-xlibman+12 Dec, 2006, 9:1-->

QUOTE (xlibman @ 12 Dec, 2006, 9:10)

wtf is that kerm? :gah:

 XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

Title: Feature Requests
Post by: DJ Omnimaga on December 13, 2006, 04:37:00 am

QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->

QUOTE (KermMartian @ 13 Dec, 2006, 10:11)

QuoteBegin-xlibman+12 Dec, 2006, 9:1--> QUOTE (xlibman @ 12 Dec, 2006, 9:10) wtf is that kerm? :gah: XSS = Cross-Site Scripting SQLI = [My]SQL Injection JSI = Javascript Injection

 wtf is that kerm? :gah:

Title: Feature Requests
Post by: rivereye on December 13, 2006, 10:49:00 am

elf, I don't think I have that stuff from you. Also, you are more than free to look at the source (and if any one else wants it, things could probably worked out in some way or another).

Title: Feature Requests
Post by: KermMartian on December 14, 2006, 08:41:00 am

QuoteBegin-xlibman+13 Dec, 2006, 10:37-->

QUOTE (xlibman @ 13 Dec, 2006, 10:37)

QuoteBegin-KermMartian+13 Dec, 2006, 10:11--> QUOTE (KermMartian @ 13 Dec, 2006, 10:11) QuoteBegin-xlibman+12 Dec, 2006, 9:1--> QUOTE (xlibman @ 12 Dec, 2006, 9:10) wtf is that kerm? :gah: XSS = Cross-Site Scripting SQLI = [My]SQL Injection JSI = Javascript Injection wtf is that kerm? :gah:

 It makes bad stuff happen to the server and database. :)

Title: Feature Requests
Post by: elfprince13 on December 14, 2006, 01:39:00 pm

QuoteBegin-KermMartian+14 Dec, 2006, 14:41-->

QUOTE (KermMartian @ 14 Dec, 2006, 14:41)

QuoteBegin-xlibman+13 Dec, 2006, 10:37--> QUOTE (xlibman @ 13 Dec, 2006, 10:37) QuoteBegin-KermMartian+13 Dec, 2006, 10:11--> QUOTE (KermMartian @ 13 Dec, 2006, 10:11) QuoteBegin-xlibman+12 Dec, 2006, 9:1--> QUOTE (xlibman @ 12 Dec, 2006, 9:10) wtf is that kerm? :gah: XSS = Cross-Site Scripting SQLI = [My]SQL Injection JSI = Javascript Injection wtf is that kerm? :gah: It makes bad stuff happen to the server and database. :)

 here's a summary of some general hacking techniques (without instructions...primarily for website defacements, but remote code execution can be a problem as well):

XSS allows hackers to insert their own code into a webpage, this comes in a huge variety of forms, forums, and any sort of messaging system tends to be vulnerable.

SQL injections allows hackers to manipulate the database at will and occasionally even execute arbitrary code on the server.

Javascript Injections are typically used for cookie stealing in conjunction with XSS, or for escalation of permissions.

other bad things that can happen:

using upload forms to overwrite files.

using download forms to view sourcecode that shouldn't be viewed.


----------------------

@rivereye: here's the code you need that will remove the risk of SQL injections entirely, you should also call strip_tags() on any data that there is any chance of ever being displayed.

c1

-->

CODE

ec1 // mysql_query() wrapper. takes two arguments. first   Title: Feature Requests Post by: rivereye on April 21, 2007, 03:44:00 am ok, I have come up with an idea for some stuff to help with bots. First of all, if there is a bot post, there could be a hidden bot trash bin (like our bot forum here), and then in the ACP, a way to search and delete masses of posts/topics by a user. Comments? Title: Feature Requests Post by: Speler on April 21, 2007, 11:07:00 am That sounds good, remember keep it extremely functional, but also very straitfoward and organized when you start adding advance features. Title: Feature Requests Post by: bfr on April 21, 2007, 12:10:00 pm I guess that's a good idea.  Your forum system is already pretty good though, maybe some more eye candy, smileys, and UBBC code?  Or are you holding those off for the far future and maybe just focusing on improving what is already there? Title: Feature Requests Post by: rivereye on April 21, 2007, 03:00:00 pm there is BBCode now (does anyone read the updates?) SMF 2.0.15 | SMF © 2017, Simple Machines Dream Portal 1.1 © 2009–2025 Dream Portal Team