Page 1 of 1

I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 9:53 am
by OasisGames
Now here's a place I haven't been for ages.
I've spent the last few months working day-in and day-out on my forum, even bought a new domain for it (two nights ago, just in time for this release).

Anyway, enough of that, let's get to the point: PHPwnage, as I dubbed it over a year ago, is a completely open-source forum, calendar, image gallery, and more, and I finally released a new stable build (the last real release I don't even remember, and it was far from stable).

Image

Read the release notes and download links.

I'm always looking from help, and what better place to get it than here? If you see something you don't like, think of something you want added, or anything else that can improve the forum (we're looking for dedicated coders), just pop by on any one of our sites (preferably the one linked above, which will link you to our Launchpad account).

Thanks for your time.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 10:00 am
by onion2k
There are a number of problems with your site that I wouldn't expect to see in something that's at version 1.8.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 10:10 am
by OasisGames
onion2k wrote:There are a number of problems with your site that I wouldn't expect to see in something that's at version 1.8.
And you're not going to tell me what they are? I'm sure there are plenty of problems with it, I'm the only one who's put any time into building it, and it's only been used on a forum with about five active members who probably don't see the same problems a skilled veteran of web design would see.

Why did I post here and expect any positive comments...

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 10:44 am
by onion2k
Here's a little list of issues that I found with a couple of minutes of looking..

1. Between http://phpwnage.com/modules.php?m=notfound and http://phpwnage.com/modules.php?m=../modules it's obvious that you're trying to use require() on a $_GET variable. That is a MASSIVE security hole.

2. If you hide the sidebar there's no link to unhide it.
3. If you hide the sidebar then click to another page it comes back. It really should remember your preference.
4. http://phpwnage.com/article.php?id=465456464654 doesn't display a "Page not found" error.
5. http://phpwnage.com/forum.php?do=viewfo ... 5456456446 doesn't display a "Forum not found" error.
6. http://phpwnage.com/forum.php?do=viewpr ... 6545646464 doesn't display a "User not found" error.
7. http://phpwnage.com/calendar.php?view=d ... 4645646546 silently defaults to 1969 instead of giving an error.
8. The login error message page requires Javascript to go back. If you have JS switched off you're stranded.
9. Searching for ' (a single apostrophe) says your search terms were "\'" (backslash single apostrophe).
10. http://phpwnage.com/rss.php should be .xml ... some feed readers don't like things that end with the 'wrong' extension. (Pretty minor issue really)

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 11:34 am
by OasisGames
While I see what you're saying with all the "Not found" messages (check now, they're there), you're wrong about the Javascript as nothing prevents you from using your browser's back button. I can't change the rss extension to .xml as it would stop it from working on a default installation of Apache and PHP (including mine). I've also never had problems with it on any of the browsers or feed readers I've used. The search problem is not unescaping magic quotes, which happens to be on for my server (because it's normally on by default anyway). I'm not quite sure what to do about the calendar year problem, as you'll note it happens for "2038" as well (stupid 32-bit integer time codes...), and I accept any format accepted by PHP's date and time functions for the year. My last note, and then I have far more important things to work on: The sidebar is not meant to be hidden except in one place (the forum, which is specified in a user preference you set in your profile), as it provides the primary form of navigation on the site (you literally can't get anywhere outside of the index without a navigation block, so why would I have an option to screw the user?). The Javascript link provided to hide the sidebar is meant only to do it temporarily for the current page while you read an article or something.

e: I do hope you're not the one who's forced me into my current situation, and I'm very sorry about what I've just done. Anyway, as my downtime message says, don't security-test the forum in it's live environment, download it and put it on a private server if you want to do that, as clearly someone's decided to do just that to my actual set up and I and my entire family have lost their connection due to a clogged pipe.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 12:19 pm
by onion2k
you're wrong about the Javascript as nothing prevents you from using your browser's back button
I am right about the Javascript. You are presenting the user with a link that won't work. They can work around it by using the back button, or the address bar, or leaving the site completely but those are solutions that you have not presented to them though - if the page has no escape mechanism the user is stranded.
OasisGames wrote:e: I do hope you're not the one who's forced me into my current situation, and I'm very sorry about what I've just done. Anyway, as my downtime message says, don't security-test the forum in it's live environment, download it and put it on a private server if you want to do that, as clearly someone's decided to do just that to my actual set up and I and my entire family have lost their connection due to a clogged pipe.
I don't think that's me. I 'tested' it by manually entering things into my browser's address bar, and I've not done anything on your site since I posted that list.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 12:27 pm
by matthijs
I think it's pretty impressive you've build that all by yourself. Seems like a lot of work.

Haven't had enough time to look at the site. Looking at a few code files, I wonder if you have some sql injection prevention in place? I see a lot of queries directly using $_POST[''] values without any escaping?

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 12:44 pm
by OasisGames
matthijs wrote:I think it's pretty impressive you've build that all by yourself. Seems like a lot of work.

Haven't had enough time to look at the site. Looking at a few code files, I wonder if you have some sql injection prevention in place? I see a lot of queries directly using $_POST[''] values without any escaping?
In my rush to get it out the door, I missed a few things, like filtering integer values and ensuring everything was escaped (the latter I don't normally need to deal with on my server as I have magic quotes enabled, as per defaults, so I sometimes slip up and miss an mse()). I just got them all fixed up now, but... as it's take three minutes for anything to load, I can't get the updates out. The bazaar push just now finished, I started it minutes ago.

This was one of the reasons I post here, you guys would catch these horrible mistakes faster than me.
onion2k wrote:I am right about the Javascript. You are presenting the user with a link that won't work. They can work around it by using the back button, or the address bar, or leaving the site completely but those are solutions that you have not presented to them though - if the page has no escape mechanism the user is stranded.
Guess I didn't see it that way. I'll work on it after the security updates.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 2:09 pm
by onion2k
OasisGames wrote:(the latter I don't normally need to deal with on my server as I have magic quotes enabled, as per defaults, so I sometimes slip up and miss an mse())
Magic quotes is off by default since PHP 5 isn't it? It's certainly been removed completely in PHP 6. Regardless of that though, I've found with the stuff I've released you can't rely on any specific set up for the user's environment if you want people to download your code and try it out. Everything should either be a setting in a config file, or better still automatically detected by the script.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 2:22 pm
by OasisGames
onion2k wrote:
OasisGames wrote:(the latter I don't normally need to deal with on my server as I have magic quotes enabled, as per defaults, so I sometimes slip up and miss an mse())
Magic quotes is off by default since PHP 5 isn't it? It's certainly been removed completely in PHP 6. Regardless of that though, I've found with the stuff I've released you can't rely on any specific set up for the user's environment if you want people to download your code and try it out. Everything should either be a setting in a config file, or better still automatically detected by the script.
Not in either of the installations I use (mostly a deb from the Ubuntu repos, and the standard Windows install on one very lonely desktop, I've also never seen it off on a free host, but that's a different story). Right now you have to edit a small function in 'includes.php' to properly enable escaping. It's not exactly urgent, but I'll work on some automatic detection in the next bug fix (1.8.1).

In truth, this is a test release, something to get things started, as will be the next big release (1.9), until I get myself to a place where I can put out a "2.0", it's all just code that's been mashed together by one person at random intervals.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 2:32 pm
by shiznatix
please oh please do not just rely on magic_quotes. It has been proven that this is not enough to stop all attacks. Also, nobody who has control over their .ini file will keep magic quotes on. magic quotes was an abomination and yes, it turned off by default in PHP5, just for some reason ubuntu decided to keep it on in their repos.

Just my 2 cents, I didn't really take a look at your project but I would never even think about using a script that puts post vars directly into the sql.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 2:44 pm
by OasisGames
shiznatix wrote:please oh please do not just rely on magic_quotes. It has been proven that this is not enough to stop all attacks. Also, nobody who has control over their .ini file will keep magic quotes on. magic quotes was an abomination and yes, it turned off by default in PHP5, just for some reason ubuntu decided to keep it on in their repos.

Just my 2 cents, I didn't really take a look at your project but I would never even think about using a script that puts post vars directly into the sql.
I don't any more. I fixed that quite quickly after I noticed I left a few in.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 3:23 pm
by matthijs
There are still loads of direct uses of unescaped $_POST vars in queries. I think it's better to use an escaping method by default everywhere and turn off magic quotes.

Re: I bring gifts of FOSS forums.

Posted: Mon Sep 01, 2008 3:39 pm
by onion2k
OasisGames wrote:In truth, this is a test release, something to get things started, as will be the next big release (1.9), until I get myself to a place where I can put out a "2.0", it's all just code that's been mashed together by one person at random intervals.
That's what I meant in my first comment in the thread though ... "There are a number of problems with your site that I wouldn't expect to see in something that's at version 1.8.". If it was a version around 0.3 or something then all these problems would be forgivable, just things that haven't been sorted out yet. But by version 1.8 you've already released a 'stable' version and 4 significant patches (assuming you use something along the lines of a normal version numbering system). For these problems to still be there says you're either releasing much too early or you're unaware of the issues. Both points are a cause for concern.

On a more positive note though, they're easy things to fix, and once they're sorted you should be well on the way to having a pretty comprehensive platform.

Re: I bring gifts of FOSS forums.

Posted: Tue Sep 02, 2008 11:58 am
by RobertGonzalez
Overall
Queries are thrown right into the mysql_query() function. How are you going to check a query string this way if something goes wrong?
You are using mysql* functions instead of mysqli* functions

index.php
Very first line of code has an error suppression operator. Why would you do that?
There is markup mixed with the PHP code.
There are no isset checks for superglobal array members (if $_GET['show'] == 'all'). If there is no $_GET['show'] you get an error.
You have queries, result fetching and result displaying all right in the output.

includes.php

Code: Select all

function mse($source) {
    // Do we return the Real Escape String or the source?
    //return mysql_real_escape_string($source);
    return $source;
}
Seriously?

Code: Select all

function getBoardName($bid) {
    global $_PREFIX;
    $result = mysql_query("SELECT * FROM `{$_PREFIX}boards` WHERE `id`=" .  $bid);
    $brd = mysql_fetch_array($result);
    return $brd['title'];
}
If you only want the 'title' column select it. Why would you select the entire column set only for one column?
Also, why the excessive use of globalizing?
Censor list is a hardcoded array. Why not database those then allow the board admin to admin them?
Why the use of functions for a specific bbCoding of language when you can use GeSHi or something else?
There is entirely too much markup in the code. That makes maintenance very difficult and renders reusability virtually impossible if you wanted to allow skinning. What if I want to make my own theme and didn't want to use tables all over the place?

That is about all I can do right now. For a first run it is decent. For a 1.8 release, not so much in my opinion. I am glad it works for you though.