Extbasic 7

Learn how to do code review

Re: Extbasic 7

Post by Nyteblade on Fri Apr 25, 2008 8:06 am
([msg=1272]see Re: Extbasic 7[/msg])

OK... why do they keep changing the form method? I'm not sure if that will effect what the answer is but you would think they'd leave it alone.

Unfortunately, I still haven't been able to complete this. Just how specific is the syntax they're looking for? I've tried a number of things but can't seem to get it quite right :(

EDIT: well, I'm stumped. I can't seem to figure this one out for some reason :(
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Extbasic 7

Post by I-MrKnox-I on Thu May 01, 2008 8:30 pm
([msg=1886]see Re: Extbasic 7[/msg])

lol, this one really got all kinds of flaws now xD
I-MrKnox-I
New User
New User
 
Posts: 20
Joined: Fri Apr 18, 2008 2:45 pm
Blog: View Blog (0)


Re: Extbasic 7

Post by Nyteblade on Fri May 02, 2008 10:41 am
([msg=1919]see Re: Extbasic 7[/msg])

Well supposedly this is completely correct now... but it's still kicking my @$$ :D I must not have hit on the right syntax yet :(
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Extbasic 7

Post by ghostintheshell on Fri May 02, 2008 7:13 pm
([msg=1949]see Re: Extbasic 7[/msg])

This one left me clueless. The code looks funny to begin with given that it asks for POST reqs and gets a GET. And the fact that there isn't a db connection explicit in the code throws me off too. I don't really write PHP, but I can write a web app in it (with holes). I looked up the function being used and they all seemed fine minus the db connection thing. I am missing something obviously. Can anyone think of a non spoiling way to point me in the right direction?
ghostintheshell
New User
New User
 
Posts: 5
Joined: Mon Apr 28, 2008 2:31 am
Location: Atlanta
Blog: View Blog (0)


Re: Extbasic 7

Post by sharpskater69 on Sat May 03, 2008 1:06 pm
([msg=1982]see Re: Extbasic 7[/msg])

My main conflict is that I see like 3 things that aren't exactly sound in the code. I don't know if it's a screw up or it's supposed to be what we patch. I've looked up vulnerabilities certain things have, as well as functions to use to patch them. In reality, that snippet wouldn't even work since the variables are $_POST data and the form uses $_GET to send the data(try it if you don't believe me). I'm not going to mention code or line numbers, but I see a potential sql problem and an xss one. Am I on the right track with these?
sharpskater69
New User
New User
 
Posts: 34
Joined: Tue Apr 22, 2008 4:10 pm
Blog: View Blog (0)


Re: Extbasic 7

Post by BhaaL on Sun May 04, 2008 3:54 am
([msg=2047]see Re: Extbasic 7[/msg])

sharpskater69 wrote:I'm not going to mention code or line numbers, but I see a potential sql problem and an xss one. Am I on the right track with these?

You can only fix one of them, and previously it was not the sql one...
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: Extbasic 7

Post by w00zl3 on Fri May 09, 2008 11:29 am
([msg=2164]see Re: Extbasic 7[/msg])

mmh, i am really stuck here. the GET and POST thing distracts me from the real problem I suppose. Can someone please confirm that this is not the issue?

I found some things which I think make this script vulnerable to exploitation but every ansewer I tried was not successful. maybe someone can point into the right direction, thx
w00zl3
New User
New User
 
Posts: 1
Joined: Mon Apr 14, 2008 4:38 am
Blog: View Blog (0)


Re: Extbasic 7

Post by comperr on Fri May 09, 2008 12:39 pm
([msg=2167]see Re: Extbasic 7[/msg])

User avatar
comperr
Poster
Poster
 
Posts: 373
Joined: Mon Apr 07, 2008 6:52 pm
Location: /dev/null
Blog: View Blog (0)


Previous

Return to Extended Basics

Who is online

Users browsing this forum: No registered users and 0 guests