darkchan

You've also mangled our time. Fuck Completely Off!

Ok, you need to find a friendly hacker to help you with this man, and by friendly hacker I mean someone who is GOOD (not just a kid who points nmap and then some downloaded script, but one who knows how to *find* vunerabilities in software) you know IRL and can go after IRL if you get betrayed. Securing a website is not for amateurs. Tracing IPs from apache or php logs is NOT the only way to guard against this. There are tools that will plain out null-route hostile web traffic that don't keep on-disk logs.

No offense, but if I was looking for a secure channel to discuss either legally suspect or "could get me sued , beaten up or put on a wierd cults shitlist" I wouldn't trust your site from what you've said so far.

Don't take that as a personal slight. I wouldn't trust a site set up by ME either. But promising security without a full understanding of it can get people arrested, or shit in the case of some of the regimes anon has been tangled with, killed.

your site's broken

Yes I know, i'm moving some files around, check back in half an hour

is this like one of those things where you get creative people to freely submit their creativity, and then profit?

I'll be checking back in about 20 years.

no it isn't, but it is open source if thats what you mean by getting creative people together.
This is not for quasi-illegal activity. Although I would hope there will be a higher level of trust down the line as all our code is transparent.
@dmx the ip hashes arn't not meant to be secure, just not plain text readable, and SSL is very much alive.

holy shit this looks great

thank you

$q2 = "SELECT userlevel FROM users WHERE username='$_COOKIE[userID]' AND userlevel >= 2"; //makes sure has clearence or is breaking in.
...so I just need to edit my cookies to add something like ' or 1 = 1; <insert malicous sql here> -- and I have owned your server. hint: Use session variables rather than directly fumblefucking with cookies.

Plus numerous instances of just assuming the mysql_escape_chars will be protection enough

I can not repeat this enough. Use prepared statements. Use prepared statements. Use prepared statements. These are *much* harder to hack.

And for god sake NEVER just blindly insert shit coming from the far end dude. Seriously.

I love it when I can clearly hear the sounds of sanity expressed in the vast digital wilderness.

use whitlist
dotn try shit with blacklist input.
its a horror trip you never can win.
HTML5 makes its even moar funny

Code:

if (in_array($_GET['view'], $files)) { //if the file exists
echo '<br>';
include ('articles/' . $_GET['view'] . '.html');
echo '<br>';
}

Please tell me $files is not going to eventually be dynamic+user supplied?

I don't know of a working exploit around your array check, but passing an unfiltered get paramater DIRECTLY into a file path is ALWAYS a bad idea. No exceptions.

(Hint: Until then this is much safer

Code:

files = {'article':'article1.html','article2','article2.html', etc etc}

if (array_key_exists($FILES,'$_GET['view']) {
   include ('articles/'. $FILES['$_GET['view']]);
}

)

Note: I havent coded PHP in years, so my memory of its syntax is a bit wobbly.

A whole herd of nerds...

Woow what?
Herro + present = Good?
What did I miss..

I think this guy has the chops, and might even be willing to help if you can find him.

I'm sleeping with av0n. This entire thread has been nothing but sexual innuendo.

Still..
Shouldnt it be like this;
Herro receiving present = Good
?

it isn't going to be dynamic user supplied data, also it is only passed to a file path when it is the same as a file name. Also at pointing out the unfilter cookie, thank you, if you've signed up i'd give you a contrib badge.

@herro's present I had to look long and hard for it

Ok, its very important that a user can never supply the name of the file if your doing it this way, because there are a lot of potential ways to break this. I'd strongly recomend moving the flat file includes to a database record, because if somone sets a filename to '../../../../etc/passwd or something ,you could end up in deep trouble.

The method I've given makes sure that the supplied input *never* comes into contact with the filesystem, but a database backed system would be even better.

Naturally I'm assuming your media input is being checked for a whitelisted list of mime and file extension types, but I will add to make sure that the directories they are stored in do NOT have access to the php/etc interpreters, or you *will* be owned (I learned this the hard way!)

And yeah, I do strongly suggest migrating to prepared statements (Or prepared statements and stored procedures if you want to be REALLY fast and secure). Its a pretty easy process (Just grep for your various SQL clauses and then start moving across, because its a mile more secure to use, and its actually a little bit faster under the hood. Remember , in the world of chans, theres a LOT of dipshits who will think nothing of owning you for lulz, with a fraction of those dipshits actually being rather talented at such owneage.

Thankyou very much for the response. I've looked into prepared statements a couple times but have never had the time to convert all of my queries over (that's a lot of time when a 'htmlspecialchars(mysqli_real_escape_string(' would suffice). Also are you refering to the .gif exploit?

The uploaded files are checked for white listed mime types (you can view the php file at https://github.com/Darkchan/Darkchan/blob/master/htdocs/creating.php if interested).

And all this faggotry can't happen in PMs? Amazing.

Code:

case 'text/plain' : $ext=".txt";break;
case 'application/pdf' : $ext=".pdf";break;
case 'application/msword' : $ext=".doc";break;
case 'audio/mpeg' : $ext=".mp3";break;
case 'application/x-bittorrent' : $ext=".torrent";break;
case 'image/jpeg' : $ext=".jpg"; break;
case 'image/png' : $ext=".png"; break;
case 'image/gif' : $ext=".gif"; break;
case 'video/x-flv' : $ext=".flv"; break;

Why would flash files be allowed when there is a currently exploited Flash vulnerability out in the wild?
Also, it's missing genuine mimetypes that all modern browsers play natively:
https://developer.mozilla.org/En/Media_formats_supported_by_the_audio_and_video_elements
and given the current native support:
image/svg+xml

I believe the flash vulnerability was recently patched, Also I'll look into the link and adding some mime types

He's dead. http://en.wikipedia.org/wiki/Justin_Tanner_Petersen

According to Wiki, he died high, or stoned, or something like that.

accidental prescription overdose, which is about as vague as it gets.

No thank you.

Say whut?
well you are OP so that explains alot in this thread..

That Wiki article is full of AIDS, cancer and faggotry.

Because he died of AIDS, cancer and faggotry?

No, because very few of the references lead to anything that's remotely verifiable.

Like AIDS, cancer and faggotry?

flash not so long blitzableiter have a better none asp version for checking flashfiles
svg+xml dont open the hell door. or is there a good whitlist?

HTML:

case 'application/pdf' : $ext=".pdf";break;
case 'application/msword' : $ext=".doc";break;

pdf?
doc/docx?

dont do this, or you cant to start da maleware dump

You need to optimize yer site for viewing on Netscape. I found some sweet white papers describing php but that's probably a fad so I wouldn't get too excited about that. Have you herd about these new "dynamic elements" that are about to come out? They are going to be da bomb. I also hear that some of the moar advanced sites are using animated .gifs. Check 'em. Angelfire and Geocities have some pretty awesum online html (that's hypertext markup language for you newbs!) designs. You could totally have a crazy mouse cursor shaped like a dong or something.

So, between him and Herro, who would you choose to secure your site from Scientologists?

It hasn't even got a leg to stand on.