ok, so I'm currently making a buying portal there you can buy products from me, currently none.
I was wondering if you guys can try to hack it and then tell me how to fix it or at least say what method you used.
Currently theres on test product, so if you guys get in and manage to download it you can give me the code.
[URL]http://download.dynamiceffect.net/[/URL]
Best Regards
EDIT:
Also if you try do register, it will send a activation mail.
It tells me missing fields, though I've entered my username, my password and my email.
disgonbgud.gif
brb trying to break it.
did you enter a password thats longer than 5 characters?
If you did then it may be the email algorithm thats not working 100%
[code]function isValidEmail($email){
return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);
}[/code]
Breaking atm, tell me if it works. (check the database)
@Bi0hazard fixed it, i activated the account to.
@Crhem van der B not according to the DB. Only 4 new accounts since i posted the thread.
Ah, wait a second then, I'll fix that.
EDIT:
Ok, check again.
Still no more accounts added.
Ah, famous last words.
If it didn't work now shoot me with boxes.
Go Stanky, go for great justice into his DATERBASE.
Last user should be called "lol743".
[QUOTE=Crhem van der B;26101648]If it didn't work now shoot me with boxes.[/QUOTE]
it worked.
But thats not hacking. I want someone to try to hack it, not register account :)
[QUOTE=yuriman;26101134]did you enter a password thats longer than 5 characters?
[/QUOTE]
No, but it would be nice to include a error message saying that? Just saying, though the site seems like it's nowhere near finished.
Im currently developing on it so stuff isnt done. Just the client functions. So admin stuff and design for all pages isnt done.
Im going to add custom error message soon.
[QUOTE=yuriman;26101134]did you enter a password thats longer than 5 characters?
If you did then it may be the email algorithm thats not working 100%
[code]function isValidEmail($email){
return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);
}[/code][/QUOTE]
Here's a tip. This is a valid email, your regular expression is broken:
[img]http://i.imgur.com/sy9Z1.png[/img]
[url]http://www.faqs.org/rfcs/rfc882.html[/url]
Edit: Also, innocuous, but you might want to hide this: [url]http://download.dynamiceffect.net/index.php?page=admin[/url]
Edit2: I haven't hit anything yet, but are you protecting your page including thingy against directory traversal attacks?
[QUOTE=StankyJoe;26101954]Here's a tip. This is a valid email, your regular expression is broken:
[img_thumb]http://i.imgur.com/sy9Z1.png[/img_thumb]
[URL]http://www.faqs.org/rfcs/rfc882.html[/URL]
Edit: Also, innocuous, but you might want to hide this: [URL]http://download.dynamiceffect.net/index.php?page=admin[/URL]
Edit2: I haven't hit anything yet, but are you protecting your page including thingy against directory traversal attacks?[/QUOTE]
Thanks, also admin page isnt protected cause the file isnt added yet, so you cant protect something that doesnt exist :)
Its just in the page list.
From what i saw at wikipedia about directory traversal attacks, yes. You can only access pages thats in a array, if it isnt there you cant access it.
Changed to a better way to check if its valid or not. So now you cant use invalid domains. Is this preg_match correct?
[code]function isValidEmail($email) {
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])?*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $email)){
list($username,$domain)=split('@',$email);
if(!checkdnsrr($domain,'MX')) {
return false;
}
return true;
}
return false;
}[/code]
[QUOTE=yuriman;26102070]Thanks, also admin page isnt protected cause the file isnt added yet, so you cant protect something that doesnt exist :)
Its just in the page list.
From what i saw at wikipedia about directory traversal attacks, yes. You can only access pages thats in a array, if it isnt there you cant access it.[/QUOTE]
That's a bit of a pain, but if you have a fairly limited number of pages it works just fine, and yes, you're safe.
Its a limited amount of pages since its not a CMS, just a buy script portal, but when i will be making a CMS i use that way.
[img]http://i.imgur.com/5zvwM.png[/img]
uh oh
[QUOTE=StankyJoe;26102250][img_thumb]http://i.imgur.com/5zvwM.png[/img_thumb]
uh oh[/QUOTE]
Can you post a working one then?
Yes, I found a working one after some minutes searching.
"/^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$/"
[QUOTE=yuriman;26102464]Yes, I found a working one after some minutes searching.
"/^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$/"[/QUOTE]
It's still about as good as the first one you posted - just use the php filter function, it's atleast somewhat compliant.
nvm
Just don't bother validating email addresses.
[editline]17th November 2010[/editline]
You should [b]verify[/b] them, ie. send a confirmation email, but if the user inputs an valid, but nonexistent email then that confirmation isn't going to get to them regardless.
[QUOTE=pro ruby dev;26103792]Just don't bother validating email addresses.
[editline]17th November 2010[/editline]
You should [b]verify[/b] them, ie. send a confirmation email, but if the user inputs an valid, but nonexistent email then that confirmation isn't going to get to them regardless.[/QUOTE]
I'm getting to the point where I simply run some very loose validation on the client-side (more than anything it helps the user by pointing out any obvious mistake), and send it anyway, and as you said if the email isn't valid, the user simply cannot confirm it.
Sorry, you need to Log In to post a reply to this thread.
