03-18-2016, 11:56 AM
Hi, a little update, I spoofed the form and managed to get entries into the DB without validation.
I haven't managed to do any SQL injection, since I'm not a coder, but I did manage to fill the username field with everything (/ \ * ?) except for double quotes which were entered as ". I can't say this has caused much harm, but I can't help wonder if a more skilled and malicious person could do something.
The method was by removing all the ID='username', ID='fname', and then generate a real csrf and copy it to the spoof form.
Some suggestions might be to:
1. set the field length in the MYSQL database to match the allowable character limit set by userspice. Currently, most DB fields allow 255 chars. This could be reduced for the username and password fields at least.
2. change the submit function so the validation doesn't depend on any client-side stuff (i.e. javascript).
Hope that helps you out in some way.
T.
I haven't managed to do any SQL injection, since I'm not a coder, but I did manage to fill the username field with everything (/ \ * ?) except for double quotes which were entered as ". I can't say this has caused much harm, but I can't help wonder if a more skilled and malicious person could do something.
The method was by removing all the ID='username', ID='fname', and then generate a real csrf and copy it to the spoof form.
Some suggestions might be to:
1. set the field length in the MYSQL database to match the allowable character limit set by userspice. Currently, most DB fields allow 255 chars. This could be reduced for the username and password fields at least.
2. change the submit function so the validation doesn't depend on any client-side stuff (i.e. javascript).
Hope that helps you out in some way.
T.