Messages

16

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 18, 2005, 02:00:14 PM »

Using the $_SERVER['QUERY_STRING']method, at first glance, appears to be fine. (PHP.net documentation of pre-defined variables, including the $_SERVER array). The important bit is what the programmer does with that information. It is up to the programmer to, for example, check the 'QUERY_STRING' variable and make sure (1) the file exists, (2) the file is in the proper context (i.e. local vs. remote, basically not something the web server should not be accessing). THAT is where 99% of all vulnerabilities come from - programmers who do not check data the program receives. Never, ever trust your users to provide the right data. 99% of them will, but there will be that 1% who will input incorrect data because (1) they made a mistake, or (2) they're trying to break your program.

So basically you're basically saying it would be best to provide additional conditionals to handle files that are not there and files that are not on the server, right?

17

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 16, 2005, 11:25:49 PM »

Hmmm... Sasha has taken the scripts offline due to other security risks. For the moment at least.

Anyway, I suppose this sort of begs the question... does anyone (glances in Johan's general direction  :kitty: ) know about security risks in the method CodeGrrl used for dynamic includes?

Code: [Select]

   <?php
    include('header.inc');
    include 'config.php'; // you can include the config file here once
    if(!$_SERVER['QUERY_STRING']) {
    ?>
    
CONTENT

    <?php
    } elseif ($_SERVER['QUERY_STRING'] == "whatever") {
    ?>

CONTENT

    <?php
    } include('footer.inc');
    ?>
Could that be used to call external documents?


And for the record (just in case), my intention isn't to attack CodeGrrl... I love the site and the tutorials. I think we all understand that sometimes things like this just happen.

18

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 15, 2005, 08:55:29 PM »

[quote name='Firefly' date='Nov 15 2005, 07:48 PM']Thanks.  Since I use Enthusiast though, I can't turn the register globals off.  =.=  So I'm making a quckie script for my hostees to use.

[post=\"116059\"]<{POST_SNAPBACK}>[/post]

[/quote]



...Yes you can. Enthusiast doesn't require register_globals.

19

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 14, 2005, 09:52:14 PM »

[quote name='Shell' date='Nov 14 2005, 08:40 PM']I have a question....before when I used phpfanbase I had to add the

Code: [Select]

php_flag register_globals on
to my .htaccess to get the script to work.  Now that I use Enthusiast, should I remove this snippet from my .htaccess?

[post=\"115790\"]<{POST_SNAPBACK}>[/post]

[/quote]


Yeah, remove it. Enthusiast doesn't depend on register_globals, and it's safer to have it off. ^_^

20

Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability

« on: November 14, 2005, 08:54:58 PM »

I know other CodeGrrl scripts, as they are now, assume register_globals is turned on, so it's likely that these will break when it's turned off. If so, they can probably be fixed by adding this somewhere:

Code: [Select]

extract($_GET, EXTR_SKIP);
extract($_POST, EXTR_SKIP);

I'm told that doesn't compromise security, but Johan can probably say whether or not it really does better than I can. ^^

21

General / Question about the yaoi/shoune-ai genre listings

« on: November 08, 2005, 03:19:16 PM »

[quote name='Kimmu' date='Nov 8 2005, 01:44 PM']And this brings up another question that was posed to me and that has been niggling at my brain. Is Boy's Love/BL an approvable genre listing?

[post=\"114040\"]<{POST_SNAPBACK}>[/post]

[/quote]


Put another way, technically all yaoi is BL, but all BL is not yaoi, right?

22

Questions for the Senior Staff / Re: Fake Members/Spammers

« on: October 26, 2005, 12:31:51 PM »

I've recently had a person trying to join one of my fanlistings. Several things make me think it could be a spammer: first, the name, and the comments, appear to be in chinese, but the person claims to be from Serbia. Secondly, the email adress is vbdfe @ hotmail.com, which, from my experience with blog comments spam, is a clear indicator of spam. Also, the website they're submitting is http:// www . xg7899 . com (didn't want it to make an actual link, in case it IS god knows what). Again, with the suspicions and being afraid to click on a fishy URL. Lastly, I ran the comments through a translator. It didn't make a lot of sense, but it seemed to be about chinese travel agencies.

Now, I know I could just not link the site, but the thing is I DO suspect this is a spammer and not an actual fan joining.

What should I do?


EDIT: I just noticed that Neon just posted with a very similar problem... I'm sorry about having made what amounted to a double post. At least I know it's not just me with this problem.  :rolleyes:

23

News and Announcements / HAPPY 1ST BIRTHDAY, TAFL!!

« on: September 24, 2005, 02:06:54 PM »

Happy birthday, TAFL!

And thanks a lot to the staffers that keep it running.  

24

News and Announcements / NEW CATEGORIES on the way!

« on: May 12, 2005, 05:17:31 PM »

[quote name='Danielle' date='May 12 2005, 01:02 PM']I think that would be up to the staffer's discretion. ^^;

[post=\"63215\"]<{POST_SNAPBACK}>[/post]

[/quote]


*looks shifty*    

25

News and Announcements / NEW CATEGORIES on the way!

« on: May 12, 2005, 01:50:58 PM »

So what about real world locations that have particular importance in a manga series, to the point where they even have magical/whatever characteristics that make them basically different from the real world counterparts?

Specifically, I'm thinking of Rainbow Bridge as a location in X. Yes, Rainbow Bridge IS a real location. But it's also a kekkai, which means it acts as a magical or mystical protective barrier, AND it's particularly important because a huge plot point takes place there. Plus, one could also argue that the X world is an alternate universe from our own.

I'm guessing that's still a no?  

26

Questions for the Senior Staff / Applying for story arcs?

« on: October 14, 2004, 10:02:12 PM »

I was thinking that not all anime series are clearly divided into seasons. I mean, I suppose you COULD do it, but in some cases, the story is much more clearly divided by story arcs.

So is it possible to apply for story arcs within a series? Like for instance the Black Rose arc in Utena, or Kantou Senbatsu arc in TeniPuri? And if it's possible, would it go in the series category, the way seasons do?