Author Topic: Feature Requests  (Read 4623 times)

0 Members and 1 Guest are viewing this topic.

Offline rivereye

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 996
  • Rating: +0/-0
    • View Profile
Feature Requests
« on: December 10, 2006, 03:19:00 pm »
Things you would like to see in Rivereye CMS? Post about it here.
>(<')

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Feature Requests
« Reply #1 on: December 10, 2006, 03:40:00 pm »
make sure to make it secure first before adding features ;)wink.gif

elfprince13

  • Guest
Feature Requests
« Reply #2 on: December 10, 2006, 04:04:00 pm »
'tis quite secure at the moment from what Ive tested.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Feature Requests
« Reply #3 on: December 10, 2006, 04:19:00 pm »
yeah usually this is when there is features being added that we need to be more careful

Offline rivereye

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 996
  • Rating: +0/-0
    • View Profile
Feature Requests
« Reply #4 on: December 11, 2006, 02:38:00 am »
yeah, please, whenever something gets added, test the security of it.
>(<')

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Feature Requests
« Reply #5 on: December 11, 2006, 02:43:00 am »
how would u do that tho? o.oblink.gif sorry but i don't know really how to hack :wacko:triso2.gif (j/k but you get the idea :Dbiggrin.gif )

Offline rivereye

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 996
  • Rating: +0/-0
    • View Profile
Feature Requests
« Reply #6 on: December 11, 2006, 05:11:00 am »
yeah, that is something I should learn on how to do also. Maybe elfprince13 can go through the stuff he does for us so A. I can fight it early, and B. I can test it also, as can more of us.
>(<')

Offline KermMartian

  • Editor
  • LV7 Elite (Next: 700)
  • *******
  • Posts: 500
  • Rating: +233/-20
    • View Profile
    • Cemetech
Feature Requests
« Reply #7 on: December 11, 2006, 06:52:00 am »
I'll do the standard Type 0/1/2 XSS, SQLI, etc testing on it for you.



Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Feature Requests
« Reply #8 on: December 12, 2006, 03:10:00 am »
wtf is that kerm? :gah:fou.gif

elfprince13

  • Guest
Feature Requests
« Reply #9 on: December 12, 2006, 05:32:00 pm »
kk,

here's the routine:
JSI (pretty much impossible with the setup I explained to rivereye)
SQLI (pretty much impossible assuming he cleans properly--riv: I gave you my cleaning function right?)
XSS: pretty much impossible with what he has now, this will be the biggy to keep an eye on.

Offline KermMartian

  • Editor
  • LV7 Elite (Next: 700)
  • *******
  • Posts: 500
  • Rating: +233/-20
    • View Profile
    • Cemetech
Feature Requests
« Reply #10 on: December 13, 2006, 04:11:00 am »
QuoteBegin-xlibman+12 Dec, 2006, 9:1-->
QUOTE (xlibman @ 12 Dec, 2006, 9:10)
wtf is that kerm? :gah:fou.gif

 XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection



Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Feature Requests
« Reply #11 on: December 13, 2006, 04:37:00 am »
QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->
QUOTE (KermMartian @ 13 Dec, 2006, 10:11)
QuoteBegin-xlibman+12 Dec, 2006, 9:1-->
QUOTE (xlibman @ 12 Dec, 2006, 9:10)
wtf is that kerm? :gah:fou.gif

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection  

 wtf is that kerm? :gah:fou.gif

Offline rivereye

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 996
  • Rating: +0/-0
    • View Profile
Feature Requests
« Reply #12 on: December 13, 2006, 10:49:00 am »
elf, I don't think I have that stuff from you. Also, you are more than free to look at the source (and if any one else wants it, things could probably worked out in some way or another).
>(<')

Offline KermMartian

  • Editor
  • LV7 Elite (Next: 700)
  • *******
  • Posts: 500
  • Rating: +233/-20
    • View Profile
    • Cemetech
Feature Requests
« Reply #13 on: December 14, 2006, 08:41:00 am »
QuoteBegin-xlibman+13 Dec, 2006, 10:37-->
QUOTE (xlibman @ 13 Dec, 2006, 10:37)
QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->
QUOTE (KermMartian @ 13 Dec, 2006, 10:11)
QuoteBegin-xlibman+12 Dec, 2006, 9:1-->
QUOTE (xlibman @ 12 Dec, 2006, 9:10)
wtf is that kerm? :gah:fou.gif

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

wtf is that kerm? :gah:fou.gif

 It makes bad stuff happen to the server and database. :)smile.gif



elfprince13

  • Guest
Feature Requests
« Reply #14 on: December 14, 2006, 01:39:00 pm »
QuoteBegin-KermMartian+14 Dec, 2006, 14:41-->
QUOTE (KermMartian @ 14 Dec, 2006, 14:41)
QuoteBegin-xlibman+13 Dec, 2006, 10:37-->
QUOTE (xlibman @ 13 Dec, 2006, 10:37)
QuoteBegin-KermMartian+13 Dec, 2006, 10:11-->
QUOTE (KermMartian @ 13 Dec, 2006, 10:11)
QuoteBegin-xlibman+12 Dec, 2006, 9:1-->
QUOTE (xlibman @ 12 Dec, 2006, 9:10)
wtf is that kerm? :gah:fou.gif

XSS = Cross-Site Scripting
SQLI = [My]SQL Injection
JSI = Javascript Injection

wtf is that kerm? :gah:fou.gif

It makes bad stuff happen to the server and database. :)smile.gif

 here's a summary of some general hacking techniques (without instructions...primarily for website defacements, but remote code execution can be a problem as well):

XSS allows hackers to insert their own code into a webpage, this comes in a huge variety of forms, forums, and any sort of messaging system tends to be vulnerable.

SQL injections allows hackers to manipulate the database at will and occasionally even execute arbitrary code on the server.

Javascript Injections are typically used for cookie stealing in conjunction with XSS, or for escalation of permissions.

other bad things that can happen:

using upload forms to overwrite files.

using download forms to view sourcecode that shouldn't be viewed.


----------------------

@rivereye: here's the code you need that will remove the risk of SQL injections entirely, you should also call strip_tags() on any data that there is any chance of ever being displayed.

c1
-->
CODE
ec1 // mysql_query() wrapper. takes two arguments. first