I've been developing a method to go about programming a vBulletin/IPB/PHPbb-esque forum for several years now. I think I've finally pinned it down, and I'd like some feedback on what I have so far. If you're interested in seeing the code, let me know and I'll either post it here or PM it to you.

The project is hosted here: http://springbok.ulmb.com/index.php

Try out what's available (posting threads, replies, and polls so far) and let me know what could be done better, what needs fixing...

Also, I'm aware there aren't any confirmation messages when you make a post, but it gets done. I'm putting off trivial things for the most part...

This post has been edited by Springbok: 19 Sep, 2008 - 01:22 PM

Here are a few quick things I found:

1. No email validation. This isn't especially important, but since you are wanting to go along the lines of phpBB and vBulletin, it's worth mentioning
2. The pages have no titles. They are all labeled as 'Unitlted Document' in Firefox
3. On my profile, it says Registered For 38 year(s), 9 month(s), 3 day(s) which would mean I registered very close to the time of the UNIX epoch

I'll look for more stuff. BTW, on your forums, I am known as DingChavez.

EDIT: Biggie one found here. I was trying to test for XSS injection in the thread titles while making a thread, and I got this:



I thnk it's because the double quotes in my thread title, which was <script>alert("testing xss in titles")</script> were not being escaped.

EDIT EDIT: Big boy XSS - http://springbok.ulmb.com/index.php?opt=forum&id=3

When I use single quotes (') in my XSS for thread titles, they don't get filtered or anything.

This post has been edited by Moonbat: 21 Sep, 2008 - 02:43 AM

Thanks for your feedback! As for your comments on the email validation and page titles, I just simply haven't gotten around to throwing in the code to take care of those yet, but I will get around to it. Like I said, many trivial things don't function right now. This is till in the very early stages of development.

As for XSS... I'll be honest and say that I've never even heard of XSS, although from the popup displaying, I'm guessing it's similar or related to JS. Now, on to the error the occurred when you used double quotes... will visitors to my site constantly be trying to use XSS on their thread titles? If so, how would I go about escaping the quotes so that no error is returned?

EDIT: Found out why your time registered was so off... there's a glitch somewhere in the register.php file and it didn't actually put your date in the database. No big, it's an easy fix.

This post has been edited by Springbok: 21 Sep, 2008 - 08:25 AM

XSS stands for cross-site-scripting. It allows you to run abitrary JavaScript code on the victim's website, not just for your browser, but for any browser. Usually this is done by refering someone to a link with the JavaScript code in it, but on forums it can be done by slipping in JavaScript into thread titles or posts.

I can use JavaScript to put your entire forum cookie into a variable, than redirect you to a website which will log that variable (aka, your cookie). Then I can just change my cookie's PHPSESSID (and other cookie variables) to yours. Then I will have hijacked your session and taken over your account.

I'm not sure if you are using session_regenerate_id(), but if you aren't, you should use it. Wherever you use that function, the user's old PHPSESSID will be replaced with a new one, but it willl still save the session info from the old session. That way, you can prevent session hijacking.

As for blocking XSS, just filter out all your data using stuff like htmlentities() or strip_tags()

I like it it looks cool and I was wandering when you get it working properly if I could have it put into my site http://samsvb.co.uk

Moonbat: Wow, thanks for the info regarding XSS... I knew things like that were possible, just didn't know it was that simple. I'll take all that into account.

sam: That's a possibility I'll consider, but keep in mind that this is a long ways away from being finished, or at least fully usable at this point. I'm still working on a functioning control panel, private messages, viewing active users, and a long list of other things.

well at the moments i have phpbb and I just wanted to be the first to have one of your forums.