[center][size=8pt]Good Day Nairalanders,

Pals, I want to invite you people to Talkem Discussion Village Square Forum www.talkem.com , 100% coded by 9ja blood. Its easy to sign up and you can upload/post your pictures.


Thanks So Much . . . . IN GOD I TRUST . . . .


For Your Professional web application design and development, hacking, mass mailer, advice etc
Call me @ 08030716751 or email me @ igweze@live.com
www.idigitgs.com www.talkem.com[/size][/center]

nice

Err, Iz dis naija ingles or what?

Error . . . . a couple of fields were not filled in correctly,

Error, user name doesn't exits.

I tried signing in - that is what it gave me.

Next: try to do a proper custom 404 error page

Not Acceptable

An appropriate representation of the requested resource /index.php could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.talkem.com Port 80

For a very proud website like this - should be fixed.


On the registration page,

*Note: This field is Required, only characters and numbers are accepted eg igweze4444 !!!!

That text is damn too long - longer than the registration form sef.

This is where my review stops. But the site looks nice all the same. Just trim the edges and make it
have better quality.

Error, user name doesn't exits.

hmmmmm!

I noticed that when i am on the register page:
http://www.talkem.com/index.php?action=register

The login bar on the right side does not work - rather like an image (i know it is a glitch and not an image).

So in order to login, you need to now click the login link again - despite seeing the login form on the right
:: This might frustrate some users.

After those inspections, i then tried to register

Now because i made a mistake in mistyping my password the second time:

Santa Maria! The registration form vanished - and all i could see is shown below:

TALKEM DISCUSSION VILLAGE SQUARE REGISTRATION
August 28, 2011, 10:40 am
Error . . . . a couple of fields were not filled in correctly,

The two passwords did not match.
Go Back

And on clicking the back button - all the info i have laboured to type earlier on
Lo and behold - they have vanished - so i have to start typing everything again!!

So, i decided not to get frustrated easily, and so, i entered the url
http://www.talkem.com/index.php?action=register2

And caramba: This is what i showed:

TALKEM DISCUSSION VILLAGE SQUARE REGISTRATION
August 28, 2011, 10:42 am
Succesfully registered. You can now sign in and start posting!

Phew, easy does it :: So why the heck was i battling with the registration form all along??

Wait, Espero, Yame, before you publish it. There is no captcha on zat registration form?

And truly and surely, without filling the registration form, i am really signed in :: I will prove it shortly
I returned to the homepage after registering as described above :: And see

Now, since i am already logged in, i just clicked on profile:

By the way, my public profile ID is http://www.talkem.com/index.php?action=user_info&userid=8
Anyone can access it without logging in. And if you have logged in like i explained earlier, you
can click the Edit Profile - To see the second attachment

And i made one post to contribute to the village square :: http://www.talkem.com/index.php?action=topic&id=10

I think i will stop here - i have real work to do.

BTW, i mean no harm - but seriously, if those spam bots should spot your website - and all the damn primary 1
hackers (that site will be in real mess).

If you check in between my posts, i was on your site for lets say about 30 minutes.
Had to restart my laptop twice, and make posts on nairaland with screen captures.

And yet, i have spotted all those bugs already. If i stayed longer, i will no doubt have spotted more.

There are some more tests i will like to carry out - just out of curiosity - but i am sure the site will
fail those sites - and your database might even crash (and since i mean no harm - i will stop here).

If you need technical advise on how to fix these issues, just say so - i wont say you should contact me,
because i am working on too many things at the same time, and will not be available for the the next
1 week or so, but there are some other gurus on board that might be able to help you - if you wish.

As i was leaving, i decided to logout, and i noticed that on the home page:

DHTML
August 28, 2011, 11:00 am
Posted by
under Category - ICT
Comments(0) | Views(2) | Last Post By
JURY BACKS DOCTOR IN PENIS AMPUTATION TRIAL
August 27, 2011, 11:11 pm
Posted by dazzlingoluchi
under Category - Crime
Comments(0) | Views(4) | Last Post By
[b]U.S. OFFICIAL: AL QAEDA\'S NO. 2 HAS BEEN KILLED
[/b]August 27, 2011, 11:01 pm
Posted by sniper
under Category - Crime
Comments(0) | Views(7) | Last Post By

It would appear you forgot to strip the slashes - that is a tad not too professional.

I also noticed that you did not disable directory browsing in your apache configuration.
You are also not using robots.txt = very soon, all the spam bots will know the direct
location of the core folders on your site - and you will be even more vulnerable to attacks.

And this is unfair, all the emails and every detail of registered users is available to the
public?

http://www.talkem.com/index.php?action=user_info&userid=1

I am sorry for any inconvenience caused to the village square - i am just trying to help make it better.

nice one dhtml looks like he didnt take security seriously.

I did not actually do a security scan. I just poked the site a little and nearly fainted at the result.

where the guy self

Excelboi:

where the guy self

Probably fixing the codes. But i will give him kudos all the same. Coding an application like that from the scratch is a
good thing. The thing is - you need a lot of extra time to test and polish it.

If he had even used a standard cms - wordpress, joomla or drupal - i doubt if bugs go full am like that.

Thank you very much. I just feel that i should contribute more to helping other developers. Most of the time i just keep quiet when i see some stuffs like this.

Thanks dhtml, I really appreciate your concerns, I will rectify the codes soon.


All the way thanks, pls why not try mysql injection and give me a feedback.

divinetalent:

Thanks dhtml, I really appreciate your concerns, I will rectify the codes soon.


All the way thanks, pls why not try mysql injection and give me a feedback.

MySQL injection didn't work from my end. I tried that the day you posted this. It didnt't work for the following reasons

The GET variables are sanitised before use.
The server you are hosting on is probably using apache mod_security and has some rules to block things like UNION ALL SELECT
You have added some error handling (adding "else" blocks) if the database can't return anything valid for the selection.




Bug
I can't remember where I saw this but you have added "addslashes" to the method of retrieving comments from your database and if a person says "i don't like this" what will be posted and retrieved is "i don/'t like this".

Thanks all for your criticisms especially dhtml and Dual Core.


However, those bugs have been corrected right away and i though there is any again. Meanwhile, the problem I had was using two form to process a request which i have now corrected to one, for the /s i have fixed that too and for the mysql injection it can't work on the script.


For user emails, the user have a choice of hiding their emails from their cpanel when the login.


Please, try more and please report the bugs here. dhtml I will visit your website and try my talent too. hope u don't mind.


Thanks to all


STILL Proud OF MY CODE !!!!!

When you say my site - which one are you talking about? No probs - just send bugs to my email.
I am going to be using this public holiday to see if i can publish my framework online - that will be
more beneficial to test out.
Your codes are very good. Bugs are part of the stuff when you do things from the scratch. As you
fix them, your application gets better and better.
However, note that i did not do a full vulnerability scan - i will call all i did - just Level 1

Public holiday dey sef o. Weekends, holidays. . . They hardly make any difference to a freelancer.

I will even write more codes in this public holiday than normal weekdays or weekends. All na the same.

Alright dhtml . . . . Bugs Reporting Time for http://www..net/ alone still going to your other works soon . . . .

First its a pity that I can't even register in your forum to post or comment and i wonder how people post there, all i get is error 404 - Component Not Found

Secondly, if I tried to login into your site from your login page http://www..net/index.php?option=com_user&view=login&Itemid=9, if i login with my email ie igweze@live.com and password '', it redirect me to another page http://www..net/index.php?option=com_user&view=login&Itemid=9 saying Invalid Token and when i tried going back. Damn all my information is gone !!!!! why


Your login page, your registration, even forget your password page etc doesn't work @ all. Hmmmm, i will advise you remove the link register, login, forget password etc because the are not even working.


Is like you are not even using a database @ all.


Meanwhile, its good you use index.php to link all your file but for example your login page link http://www..net/index.php?option=com_user&view=login&Itemid=9, if i should rewrite your $_GET variables to http://www..net/index.php?option=c, I will get an error page why not use switch default and redirect it to your home page.

However, I was wondering how people posted in your site because I can't even register but have a fabulous design but a lot of bad coding there. from my observation I can see you are little good with dhtml but not php.

Lastly, I dedicated my little time this morning and glance through your codes. Will still scan em full time when i have time . . . .

First, if you were reading up there - i asked what site you were going to check.
If it is .net - do not bother - the site is overdue for revamping.
My personal websites is about 5(/6) :: All are under revamping due to my framework.
If you have been following my threads on nairaland you will have realized that.

Meanwhile, the site is a Joomla site (i no code am) - the first site i used to test out
Joomla, but i am scraping it - due to my framework.

I will post a review when i am through with the revamping.

But still, i will check those bugs and fix them asap - but one thing i do know is that - i have not upgraded
the Joomla Installation.
But still, i will check out the stuffs and report back in the next few minutes.

Thanks. Tis as i have suspected. The codes are broken down - but i wont bother.
I have about 5/6 domains registered - this will lead to thrashing of the Joomla
code entirely - because i am going to use my framework for the revamp.

Meanwhile, i assume you have finished debugging your site?

Hmmmmo