Need Advice, And Security Info 1

[bretttt]

Hi I am making a website for integration with a manufacturing company. You guys have helped me a lot, and i was wondering if you guys could let me know what you think and check the site for security flaws or bugs.
please register, login, put stuff in cart, and just browse whats there...... you can log into employee with id 039039 pass 1420. Thanks

http://www.iboost.org

 

[icrf]

1) How are you tracking your users after they log in? It looks like you just put their uname on the url itself, meaning that a user could just put whatever username they wanted, theirs or not, up there and shop as someone else. The best way is to use something like CGI::Session and give the client a single session ID and then keep all other information about them on the server where it's much harder for them to touch without your control.

2) I don't know if it's just an Opera thing, but the state field in register lets me put in two characters, but it only wide enough to view one. Also, all the input fields on this page don't seem to line up with anything.

3) All the passwords fields on the site should be type password, not input. They work the same, but on the user's browser, it shows *'s instead of the password characters.

4) When shopping, after clicking on a product catagory and they all expand down, the listen item types all start with ) which doesn't look like what was intended. More importantly, clicking on any of those links brings up an Internal Server Error for me.

5) Contact us, About iboost, and Claim auction are all broken links.

I guess a lot of that is probably the result of it being a work in progress yet.

________________________________________
Andrew - Perl Monkey

 

[bretttt]

Thanks for your time. I am working it.

 

[bretttt]

my programming passes the username but all files verify incrypted password and username from cookies that are set on log in. Is that good enough? I admit my programming is a little hacked, but im basicly learning as i go... Thanks all for the help!

 

[icrf]

It's probably alright. You always run the risk of tampering when you put information in view of the user, but the user would have to have information like encrypted passwords for other accounts to be malicious about it, which is less likely. You can look at CGI::Session, as it's a very good module for session tracking. Makes dealing with cookies easier because there's really only one of them. The rest is in nice auto-serialized local storage. You should take a look at it and decide if you want to convert over, but it's far from the end of the world to use your current system.

In my poking, I didn't see any blatant evidence of a hole, but are you using placeholders or proper DBI escaping for any user-submitted data into SQL statements? I guess I'm also assuming that it's a database driven site. I just had some fun over at hackthissite.org a few months back and have kept my eye open for potential SQL injections in any code I see.

Best of luck.

________________________________________
Andrew - Perl Monkey