Test my script for vulnerabilities

Post by **Gogeta70** » 07 Mar 2008, 17:54

Hey everyone, i'm developing a bbcode script for my forum, and for Circuitbomb, so i wanna make sure that this code can't be turned upside down unexpectedly. Currently, the script has the following conversions:

[ol] ordered list
[ul] unordered list
[li] list item
bold
underline
blah Link
image
[co de][/code] code

http://g70net.com/shellw/bbpost.php

Go ahead and give it a try, tell me what you think. The source code is below:

Code: Select all

<ht ml>
<he ad>
<lin k rel=stylesheet type="text/css" href="style.css"/>
</he ad>
<bo dy>
< ? PHP


echo "<pre>";
$post = stripslashes($_POST['post']);
$post = htmlentities($post);

//preg_match("#^(\[url=http://)[\+-:%&=\?A-Za-z_]+][a-zA-Z0-9_& !@$\#%\*\.\:]+\[/url]#", $post, $matches, PREG_OFFSET_CAPTURE);

preg_match_all("#\[url=(http://[\+-:%&=\?A-Za-z_]+)]([a-zA-Z0-9_&[\] /!@$\#%\*\.\:\()]+)\[/url]#i", $post, $matches);

for($a = 0; $a < count($matches[1]); $a++)
{
$post = str_replace($matches[0][$a], "<a href=\"". $matches[1][$a] ."\">". $matches[2][$a] ."</a>", $post);
}
echo "\n\n\n";
//print_r($matches);
echo "\n\n\n";
unset($matches);

preg_match_all("#\[img](http://[\+-:%&=\?A-Za-z_]+)\[/img]#i", $post, $matches);
$extarr = array("jpg", "jpeg", "png", "gif");

for($a = 0; $a < count($matches[1]); $a++)
{
$ext = explode(".", $matches[1][$a]);
$ext1 = count($ext)-1;
$ext = $ext[$ext1];
if(in_array($ext, $extarr))
  {
    $post = str_replace($matches[0][$a], "<img src=\"". $matches[1][$a] ."\"/>", $post);
  }
}
echo "\n\n";
//print_r($matches);
unset($matches);

$post = str_replace("[ol]", "<ol>", $post);
$post = str_replace("[/ol]", "</ol>", $post);
$post = str_replace("[ul]", "<ul>", $post);
$post = str_replace("[/ul]", "</ul>", $post);
$post = str_replace("[b]", "<b>", $post);
$post = str_replace("[/b]", "</b>", $post);
$post = str_replace("[u]", "<u>", $post);
$post = str_replace("[/u]", "</u>", $post);
$post = str_replace("[i]", "<i>", $post);
$post = str_replace("[/i]", "</i>", $post);
$post = str_replace("[li]", "<li>", $post);
$post = str_replace("[/li]", "</li>", $post);

//preg_match_all("#\[code]([ -Z\^-~\n\r]*[[0-9a-z_A-Z$\]]*[ -Z\^-~\n\r]*)\

#i", $post, $matches);
//print_r($matches);

$post = str_replace("

Code: Select all

", "<div class=code><pre>", $post);
$post = str_replace("

", "</pre></div>", $post);
unset($matches);

preg_match_all("#<div class=code><pre>([ -~\n\r]+)</pre></div>#", $post, $matches);

//echo "<xmp>";
//print_r($matches);

for($a = 0; $a < count($matches[1]); $a++)
{
$rep = str_replace("[", "[", $matches[1][$a]);
$post = str_replace($matches[1][$a], $rep, $post);
}

echo "<hr>\n\n" . $post . "<hr>\n\n<xmp>$post</xmp>";

? >
</bo dy>
</ht ml>
[/code]
The code is a bit messy, so there may be a bit of useless jargon in there from me trying different methods, just try and sort it out if you can, or if you really need me to, i'll go through and clean the code up

.

rhysh · Post by **rhysh** » 08 Mar 2008, 00:03

i tested and didnt find anything

i tried xss but nothing
there is no use of sql strings from what i can see in you code so i didnt test for sql injection
i tried inserting php code but it didnt execute
i noticed you used input filtering using regular expressions rite?

it does not try opening source files or including anything am i rite?

so i didnt try lfi or rfi

overall i found it was clean of xss,php injection/insertion

lol

Post by **Gogeta70** » 08 Mar 2008, 02:56

Via user input, you cannot include anything, no. Since i don't locally include any files except for a hard-coded line : include("sql.php");

Thanks for testing it. Let's see if anybody else can come up with anything.

Post by **bad_brain** » 09 Mar 2008, 11:03

hm, I've put it on my homeserver and scanned it with Paros, nothing found..

Post by **Gogeta70** » 09 Mar 2008, 16:59

Right on, thanks.