I'm no disputing the classes wont by the way if it comes across like that, im only offering advice and " Golden Rules " on something i know a fair amount on, something that will kill any project dead before its begun if not addressed correctly. Unless you have personally written those classes and know exactly whats happening with any given scenario of submitted data do not trust nothing or take it for granted, be very thorough because there is some serious talented operators out there that can CRSF or inject for fun. End note best of luck with it and above all have fun doing so =]
|
Quote:
Bump: Quote:
|
http://opentracker.nu/demo/user/logout/
As the avatar url prevents me from logging in so you should pay attention to what i was saying, a xbtit developer originally showed me this and its probably a common hack in php where developers assume no url santization is required i suggest you check getimagesize out this will validate a url against a image... |
Quote:
|
As you know, we had made a demo account (www.opentracker.nu/demo), but now we have been forced to cancel the edit profile account, someone seemed to go in and change the password! So unfortunately you can not test on those capabilities even further during the edit profile.
|
Quote:
|
Quote:
But we removed the avatar and disabled the demo user from being editable |
Quote:
Sanitize inputs is a thing, but check the source of the input is an other. That's CRSF : you've to check the source of the request. When you're displaying a form, you're excepting data from this form only and block other requests issued by a foreign site/domain or your own platform. When you're displaying an action link (like add as friend, logout, delete account etc), only the page where the link is displayed can trigger process. Currently, it's possible to call all your URLs from everywhere (foreign site and your CMS itself). |
Quote:
Bump: Uploading the latest build of openTracker to the demo.. enjoy |
Quote:
|
All times are GMT +2. The time now is 15:38. |
Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.