Security, Layout, and Data-flow Testing

[DanShadow]

I've been working recently on a prototype for a web-scheduling application, and was wondering if anybody feels bored if they'd like to test the site (so far), and offer any suggestions/feedback?

It uses a MySQL Database for data storage, SHA1 hashes for passwords, and session variables for page-to-page data flow.

The Login URL is: http://www.danshadowproductions.0sites.net/Login.php
The Create User URL is: http://www.danshadowproductions.0sites.net/CreateUser.php (also linked from Login page)
(When creating a user, the only business registered is Danshadow Productions. The form uses an Ajax Database table check to reference what your typing to possible business names, and suggests them to you dynamically)

The site is set up so no user can view a schedule until the business owner has verified their username manually, so feel free to log in as my employee account to see how I bring all the tables together.

Username: Dan
Password: dark

Here is the URL to a page Im using to test out schedule editing (non-functional, but gives the general idea): http://www.danshadowproductions.0sites.net/test2.php

So yeah, any feedback or suggestion would be much appreciated!

[Update]: Just found a bug, but i'm exhausted so im gonna leave it for now.. wonder if anybody else will pick up on it, lol.

[Dan]

Something does not seem right about how it is processing some chars in the forms. For example putting a ' anywhere will redirect to http://0000free.com/e/403.html.

If you want a good review of the security you should post the code.

[DemonWasp]

• Incorrect escaping of arguments on CreateUser.php; putting a double-quote anywhere in the string given returns \". Similarly, putting a backslash anywhere in the string returns \\.
  
• Incorrect redirect of bad requests (such this is what Dan noted above).
  
• Poor form to use styles, bgcolor and similar HTML attributes instead of CSS classes. You should switch to CSS as soon as possible, or you'll have worse headaches down the road.
  
• Please choose a better font, increase the font size, or otherwise make things easier to read. Hard to read == hard to use.
  
• Too sleepy to continue.
  
• Post source code and config files and it'll be easier for us to find security faults (and therefore your site would be more secure).
  

[DanShadow]

Thanks for the help .

I've corrected most of the character entry issues with the CreateUser form, but I'm confused to why using the ' character is doing any redirecting...

This is the check I do for "bad characters" entered in the "username" field of the form:

Code wrote:

$badchars=array("!","@","#","$","%","^","&","*","{","}","<",">","/","|","?","'","\\","\"");

for ($j=0; $j<strlen(trim($_POST["username"])); $j++)
{
if (substr(trim($_POST["username"]),$j,1) == $badchars[$k])
{
$error="Your username cannot contain the following characters: ! @ # $ % ^ & * { } / < > | ? ' \\ \"";
$_POST["username"]="";
}
}

Then after checking the form for completeness, and ensuring the business name exists in the database, it inserts the data into the "users" table.

There is absolutely no redirection (except the form which submits post data to the same page).. so i'm not sure why entering ' would cause any redirection.

Any thoughts?

I'm not too worried about security, as most of what I have implemented is on suggestions from Hacker Dan .

I've actually never worked on CSS before, but after seeing some other web-sites offering similar services it seems to be a bit of a necessity, so I think i'll have to look into learning CSS.

Thanks again!

[jcollins1991]

If you know regular expressions you should try using them for the username check (theres a function preg_match in PHP). You could do the same check using "[!@#$%^&*{}<>/|?'\]+" which will return a true value if there's at least one of the bad characters. Even easier would be "^[a-zA-Z0-9_]+$" which matches any letter/number combination (from start to end) with underscores allowed and length of at least one. In the end it's always gonna be easier to match exactly what you want to accept than to try and think up all possible inputs to reject.

[Amailer]

Redirection might have something to do with your host as its happening on all forms - and its redirecting it to a "403 forbidden" page.
Maybe something like MOD SECURITY is enabled and is doing those redirects.

In PHP ++$variable is faster than $variable++ and calculating the char length in a separate variable prior to the for loop is faster than doing it in the for loop.

[DanShadow]

Tx jcollins, ill have to look into that.
Also, thanks for the tip Amailer, I wasnt aware of that!

[DanShadow]

Hey all,

I was trying to implement an AJAX request structure when generating a schedule (so I could add in dynamic controls), but cant seem to access PHP session variables outside the main page.

Does anybody know if there is a way to do this?

[Update]
Maybe i'll explain a bit better.

There are two pages:
MainPage.php
RequestPage.php

MainPage.php calls 'onLoad(requestScheduleData())' in the body tag, which uses AJAX to load the schedule format from RequestPage.php
MainPage.php also uses $_POST variables, and sets them as $_SESSION variables (like 'username').
When RequestPage.php generates the schedule, it attempts to read these $_SESSION variables to authenticate which user is accessing them, but can't seem to find them.

My question is, does anyone know if there is a way for my RequestPage.php to access $_SESSION variables created in the MainPage.php?

Thanks!

[Drahcir]

Hum, session variables will stay across all pages unless you call session_destroy();
So usually what I'd do is have session_start() at the beginning of all my pages, but I'd only have session_destroy() on the logout page.
So either you're not calling session_start, or you're destroying your session at the end of your page. Otherwise, you should be able to access your session variables.

[DanShadow]

Hah, what do you know. I did forget to call "session_start()" on the request page >.<
Thanks!