Bravo List
Register
Go Back   > Bravo List > Source Code > Archived Trackers > OpenTracker
Reply
  #21  
Old 24th June 2012, 20:44
Bigjoos's Avatar
Bigjoos Bigjoos is offline
U-232 Dev
 
Join Date: May 2008
United Kingdom
Posts: 244
Default
I'm no disputing the classes wont by the way if it comes across like that, im only offering advice and " Golden Rules " on something i know a fair amount on, something that will kill any project dead before its begun if not addressed correctly. Unless you have personally written those classes and know exactly whats happening with any given scenario of submitted data do not trust nothing or take it for granted, be very thorough because there is some serious talented operators out there that can CRSF or inject for fun. End note best of luck with it and above all have fun doing so =]
Reply With Quote
  #22  
Old 24th June 2012, 20:48
Wuild Wuild is offline
Senior Member
 
Join Date: Jun 2012
P2P
Posts: 33
Default
Quote:
Originally Posted by djzoulox View Post
well i don't think it looks that bad, all sources comes with major work and error's i think , that's why were all here to help thoes who can help ,
and also as you guys stated it is in developement , it's gonna be cool to see who will run a major site with this new script .

but wish you all good luck with your source
IDD!! and thank you!

Bump:
Quote:
Originally Posted by Bigjoos View Post
I'm no disputing the classes wont by the way if it comes across like that, im only offering advice and " Golden Rules " on something i know a fair amount on, something that will kill any project dead before its begun if not addressed correctly. Unless you have personally written those classes and know exactly whats happening with any given scenario of submitted data do not trust nothing or take it for granted, be very thorough because there is some serious talented operators out there that can CRSF or inject for fun. End note best of luck with it and above all have fun doing so =]
I hear you man, but all the classes are written by me, i know what they all are doing and when they are doing it, but like i said, all the data is checked when inserted or updated. so unless somone shows me some real hacking im gonna go with it as it is ;)
Reply With Quote
  #23  
Old 24th June 2012, 21:41
LeeHowarth LeeHowarth is offline
TT
 
Join Date: Nov 2008
Posts: 100
Default
http://opentracker.nu/demo/user/logout/

As the avatar url prevents me from logging in so you should pay attention to what i was saying, a xbtit developer originally showed me this and its probably a common hack in php where developers assume no url santization is required i suggest you check getimagesize out this will validate a url against a image...
Reply With Quote
  #24  
Old 24th June 2012, 21:45
Wuild Wuild is offline
Senior Member
 
Join Date: Jun 2012
P2P
Posts: 33
Default
Quote:
Originally Posted by djhowarth View Post
http://opentracker.nu/demo/user/logout/

As the avatar url prevents me from logging in so you should pay attention to what i was saying, a xbtit developer originally showed me this and its probably a common hack in php where developers assume no url santization is required i suggest you check getimagesize out this will validate a url against a image...
its already been fixed.
Reply With Quote
  #25  
Old 24th June 2012, 22:52
kizze kizze is offline
Member
 
Join Date: Nov 2011
Sweden
Posts: 13
Default
As you know, we had made a demo account (www.opentracker.nu/demo), but now we have been forced to cancel the edit profile account, someone seemed to go in and change the password! So unfortunately you can not test on those capabilities even further during the edit profile.
__________________
KizzE
www.opentracker.nu
kizze@opentracker.nu
Reply With Quote
  #26  
Old 24th June 2012, 23:03
Optix's Avatar
Optix Optix is offline
Senior Member
 
Join Date: Sep 2011
France
Posts: 145
Default
Quote:
Originally Posted by Wuild View Post
its already been fixed.
Nope. Logout URL is still functionnal when called from everywhere on your CMS.
Reply With Quote
  #27  
Old 24th June 2012, 23:13
kizze kizze is offline
Member
 
Join Date: Nov 2011
Sweden
Posts: 13
Default
Quote:
Originally Posted by Optix View Post
Nope. Logout URL is still functionnal when called from everywhere on your CMS.
Yeah we got a development website where it is fixed, but not on the demo.
But we removed the avatar and disabled the demo user from being editable
__________________
KizzE
www.opentracker.nu
kizze@opentracker.nu
Reply With Quote
  #28  
Old 24th June 2012, 23:27
Optix's Avatar
Optix Optix is offline
Senior Member
 
Join Date: Sep 2011
France
Posts: 145
Default
Quote:
Originally Posted by kizze View Post
Yeah we got a development website where it is fixed, but not on the demo.
But we removed the avatar and disabled the demo user from being editable
You seems not understand. I'm not talking about the demo, but the CMS in general, because it will be deployed in the future.

Sanitize inputs is a thing, but check the source of the input is an other. That's CRSF : you've to check the source of the request. When you're displaying a form, you're excepting data from this form only and block other requests issued by a foreign site/domain or your own platform.
When you're displaying an action link (like add as friend, logout, delete account etc), only the page where the link is displayed can trigger process. Currently, it's possible to call all your URLs from everywhere (foreign site and your CMS itself).
Reply With Quote
  #29  
Old 25th June 2012, 00:05
Wuild Wuild is offline
Senior Member
 
Join Date: Jun 2012
P2P
Posts: 33
Default
Quote:
Originally Posted by Optix View Post
You seems not understand. I'm not talking about the demo, but the CMS in general, because it will be deployed in the future.

Sanitize inputs is a thing, but check the source of the input is an other. That's CRSF : you've to check the source of the request. When you're displaying a form, you're excepting data from this form only and block other requests issued by a foreign site/domain or your own platform.
When you're displaying an action link (like add as friend, logout, delete account etc), only the page where the link is displayed can trigger process. Currently, it's possible to call all your URLs from everywhere (foreign site and your CMS itself).
should be fixed on the demosite now.

Bump: Uploading the latest build of openTracker to the demo.. enjoy
Reply With Quote
  #30  
Old 25th June 2012, 04:29
firefly007's Avatar
firefly007 firefly007 is offline
SUPPORT GURU
 
Join Date: Jun 2010
P2P
Posts: 721
Default
Quote:
Originally Posted by kizze View Post
Hello!

Me and a friend are doing a brand new tracker source that we have decided to give the name "openTracker".


We are going to make our own mods / plugins / addons, and then hosting them on our website, there you can download them. But there will also be a forum there you can post your own mods / plugins / addons if you want to share them with other members.

openTracker follows the W3C standars and looks the same in all browsers. openTracker is buildt to support themost popular platforms out there.
openTracker is an opensource torrent tracker system buildt in PHP.

Please visit us on www.opentracker.nu and try out the demo we have for now!

//KizzE
www.opentracker.nu
kizze@opentracker.nu
support@opentracker.nu

Attachment 3747
Really nice
__________________




Please Support Majority Report


You can contact me on Skype live:phesadent.elect but please let me know first.


If you are ever need me desperately then please email me at dan.oak44@gmail.com and I will contact u within a week.


Due to free time I'm able to help interested member's with their tracker.

Please Note!
Depending on your requests I will charge you for my assistance for Tracker installs and mods.
All my mods are custom and prices will very depending on the request.
I'm able to install any tracker and mods including themes.

Please PM me

Reply With Quote
Reply

Tags
opentracker , source , torrents tracker , tracker

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 22:55. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.