Is this exploitable?

[zMagenta]

Just wondering.

<?php
if(isset($_POST['post_comment']))
  $posted_on = date("M j, Y g:i A");
if (! isset($_POST['comment'])) {
  $_POST['comment'] = '';  // nu bestaat de variabele ten minste
}
 
$comment = strip_tags ($_POST['comment']);
if($comment == NULL){
    $error_message = 'You have left a field empty.<br /><br />';
  }else{
if (LOGGED_IN)
{
    mysql_query("INSERT INTO site_news_comments (article, userid, comment, posted_on) VALUES ('".
 
$news_article_id."', '".$_SESSION['id']."', '".$comment."', '".$posted_on."');");
    $error_message = 'You have successfully posted a comment.<br /><br />';
  }
}
?>
 
<div class="habblet-container ">
  <div class="cbb clearfix notitle ">
    <div id="article-wrapper"><h2>Post a comment!</h2>
      <div class="article-meta"></div>
      <div class="article-body">
        <form action="" method="post">
        <textarea name="comment" maxlength="500"></textarea><br /><br />
        <input type="submit" name="post_comment" value="Post a comment!" />
        </form>
      </div>
    </div>
  </div>
</div>
<style type="text/css">
input[type="text"], input[type="password"] {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  width: 175px;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
input[type="submit"] {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
textarea {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  width: 517px;
  height: 70px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
select {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
</style>
<?php
$getComments = mysql_query("SELECT * FROM site_news_comments WHERE article = '".$news_article_id."' ORDER by
 
id DESC");
?>
<div class="habblet-container ">
  <div class="cbb clearfix notitle ">
    <div id="article-wrapper"><h2>Comments (<?php echo mysql_num_rows($getComments); ?>)</h2>
      <div class="article-meta"></div>
      <div class="article-body">
        <?php
        if(mysql_num_rows($getComments) == 0){
          echo 'No comments yet, could yours be the first?';
        }else{
          echo '<table width="528px">';
          while($Comments = mysql_fetch_array($getComments)){
          $getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");
          $userInfo = mysql_fetch_array($getUserInfo);
                  echo '
                  <tr>
                    <td width="90px" valign="top">
                      <div style="float:left"><img src="http://www.habbo.fr/habbo-imaging/avatarimage?figure='.$userInfo['look'].'&size=b&direction=2&head_direction=3&gesture=sml&size=s"></div>
                      ';
                      if($userInfo['rank'] > 8){
                        echo '<div style="position: absolute; z-index:1"><img
 
src="http://%www%/r63/c_images/album1584/AD1.gif"></div>';
                    }
                echo '
                </td>
                    <td width="427px" valign="top">
                      <strong>RE: %news_article_title%</strong><br /><br />'.$Comments['comment'].'
                    </td>
                  </tr>
          <tr>
                    <td width="90px" valign="top">
                    </td>
            <td width="427px" align="right">
              <i>Posted by: <strong><a href="#">'.$userInfo['username'].'</a></strong>  On '.$Comments
 
['posted_on'].'</i><br /><br />
            </td>
          </tr>';
          }
          echo '</table>';
        }
        ?>
      </div>
    </div>
 
 
                <script type="text/javascript">if (!$(document.body).hasClassName('process-template')) {
 
Rounder.init(); }</script>
</div>
</div>

 

[Sledmore]

I wouldn't use strip_tags and I don't think it is the best for you, you could try this though.

$comment = strip_tags ($_POST['comment']);

to

$comment = mysql_real_escape_string(stripslashes(htmlspecialchars($_POST['comment'])));

Also, where is:

$news_article_id

I cannot see it in your code, but make sure that's filtered.

Also:

You must be registered for see links

 

[Weasel]

Yes, it is exploitable. As you aren't using RevCMS and you are using UberCMS, use clean().

 

[Ecko]

no no no:

$getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");

Learn to switch everything over using prepared statements and you won't be vulnerable to SQL injections.

 

[Weasel]

no no no:

$getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");

Learn to switch everything over using prepared statements and you won't be vulnerable to SQL injections.

It selects the user id, which is set on login... the hell are you talking about? The userid field isn't an input field in any way.

 

[Ecko]

It selects the user id, which is set on login... the hell are you talking about? The userid field isn't an input field in any way.

...

Have you ever heard of second order attacks? Blind SQL injections? XSS? Session hijacking? There doesn't need to be user input for something to be exploited. This is why you filter output. If I wasn't at work (this place where I deal with hundreds of customers' SQL injected sites daily), I'd show you how this could be exploited.

 

[Weasel]

...

Have you ever heard of second order attacks? Blind SQL injections? XSS? Session hijacking? There doesn't need to be user input for something to be exploited. This is why you filter output. If I wasn't at work (this place where I deal with hundreds of customers' SQL injected sites daily), I'd show you how this could be exploited.

You are talking big but you obviously don't know where you are talking about. First of all, the id is a integer, also XSS? SQL Injections? Good luck doing that when the output needs to be a integer. You obviously don't know where you are talking about. Good luck exploiting it when you are home.

 

[Ecko]

You are talking big but you obviously don't know where you are talking about. First of all, the id is a integer, also XSS? SQL Injections? Good luck doing that when the output needs to be a integer. You obviously don't know where you are talking about. Good luck exploiting it when you are home.

The output needs too be an integer? What the hell are you smoking? The majority of XSS attacks are from search queries. I think you need to take a look at the examples here:

You must be registered for see links

And for SQL injections:

You must be registered for see links

As for exploiting it, did it at work before I clocked out:

You must be registered for see links

autobots.biz/code/news.php - if u want to try yourself

 

[Weasel]

The output needs too be an integer? What the hell are you smoking? The majority of XSS attacks are from search queries. I think you need to take a look at the examples here:

You must be registered for see links

And for SQL injections:

You must be registered for see links

As for exploiting it, did it at work before I clocked out:

You must be registered for see links

autobots.biz/code/news.php - if u want to try yourself

403 forbidden, and it isn't the whole code.