Hello, All:

I have been testing and learning by building this simple CMS application and want see if works OK, but most importantly, would like to know if any of you are able to hack it. It's a simple "notepad" that allows people to register their own id/pw and able to track their own note "posts". It restricts the display to each user's respective notes, only and only if they are logged in. If they are not, then they shouldnt be able to see any notes at all, and are re-directed instead to the "Login" form.

The site link is:
http://www.notepad.mediaiworks.com/

I would like to see if you guys can bypass restrictions or hack it in any way possible, or view other user's notes.. I just wanna make sure I am doign things right from a security standpoint... appreciate any comments!

Here below are 2 users already in the DB, so you can login with either one and see how you should be able to see ONLY each person's "notes".

Design maybe kind of off, but that's cause I'm still working on it...

Thanks!

ID Password
User 1 user1@site.com 123
User 2 user2@site.com 456

Well you haven't escaped any data for one. So I thought I'd add a couple of hundred JS alerts everytime you refresh a page :)

R.

Hi, Robothy... yours is the first hack into my CMS, though I'm not sure if you did it when I was doing some work in it and screwed things up in the process... I see you tested around 5:30 pm based on my db records, which was after I had messed it up after I tried to work files in another computer... so now I am not really sure if there was really a problem with the code or not... I believe I had system able to escape data. But let me double check things over; gonna check over my original files...

Thanks! let you know...

Hey, Robothy... well, I reloaded my original files and did same thing; I put same code you did and gave me javascript error; really odd.. I build my pages with Dreamweaver and it automatically generates (supposed to) all proper "checking and valuation" in regards to form fields and stuff..(I do see html entities as well as magicquotes stripped, etc in the validation). I think it's been doing this OK all along, so not sure exactly why it's not catching the "hacked-text" here. I tend to customize the scripts quite a bit, so I am thinking somewhere alogn the lines I might have broke apart code... going to diasable the USERS for now, while I see what's going on.

Keep you posted and thanks again!

Hello, All...

Well, after checking things a bit, seems the automated code written by Dreamweaver wasnt validating-filtering form fields properly! weird... I ended up adding htmlentities into its code and ditto it did it!. But it seems very odd to me that with all the code Dreamweaver writes that it wouldnt do that??!! At any rate, I tried the same javascript "hack" code, and now it writes as html equivalents...

Does anyone here have any of this type of issue with Dreamweaver? I had been assuming all along that its code was safe enough to not worry much about it, but this testing here now makes me doubt it...

ALSO, I do have another issue with this mini-cms, if anybody can help...
When I tried to delete a specific user's "Note", it did it just fine. But then, to test it, I then tried to delete an un-logged user's record and IT DELETED IT!! Not good... It's supposed to delete only a logged user's record! I wander if my tables are not setup right?

See here a quick look at how my tables are setup and it relationships:

ACCOUNTS table:
id email pw date
1 user1@site.com 123 10-01-08
2 user2@site.com 456 10-01-08

NOTEPAD table:
noteid custid subject note notedate completed
4 1 Links user-1-note 10-05-08 no
5 2 Contacts user-2-note 10-04-08 no

As you can see the common-relationship in the tables are the id & the custid fields which refer to the user when logged in. So when I echo each user's respective "notes" I use the following sql, which seems to work ok:

SELECT *
FROM NOTEPAD, ACCOUNTS
WHERE NOTEPAD.custid = ACCOUNTS.id AND email = colname*
ORDER BY NOTEPAD.notedate DESC

*colname refers to logged-in user's "session" username.

Then I simply repeated the same to "select" statement when trying to delete a specific record... am I really way off base??

Thanks for feeback again!


It's supposed to only de

This article has been dead for over six months. Start a new discussion instead.