From 66ad266f378276ae3d2a1205d238de5d76fc1772 Mon Sep 17 00:00:00 2001 From: jgillam Date: Wed, 23 Aug 2023 16:34:03 -0400 Subject: [PATCH 1/5] Added html injection demo on new hidden field on login page. This includes a simple CSP on the login page with script-src 'self' --- src/basic/header.php | 10 ++++++++++ src/basic/login.php | 12 +++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/basic/header.php b/src/basic/header.php index 17a7226..fc58fc5 100644 --- a/src/basic/header.php +++ b/src/basic/header.php @@ -7,6 +7,11 @@ $password = $_REQUEST["password"]; $dosomething = $_REQUEST["do"]; +$page = isset($_GET['page']) ? $_GET['page'] : ''; +if ($page === "login.php") { + header("Content-Security-Policy: script-src 'self'"); +} + if ($username <> "" and $password <> "") { $query = "SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password)."'"; $result = $conn->query($query) or die(mysqli_error($conn) . '

SQL Statement:' . $query); @@ -35,6 +40,11 @@ } else { $failedloginflag=1; } + + if ($failedloginflag == 1) { + $tag = isset($_GET['tag']) ? $_GET['tag'] : ''; + echo ''; + } } switch ($dosomething) { diff --git a/src/basic/login.php b/src/basic/login.php index 55e379d..bad3419 100644 --- a/src/basic/login.php +++ b/src/basic/login.php @@ -4,8 +4,18 @@ if ($failedloginflag==1) { echo '

Bad user name or password!

'; } -echo "
"; + +$tag = isset($_GET['tag']) ? $_GET['tag'] : 'basic'; +$query_string = $_SERVER['QUERY_STRING']; +$action_tag = $tag; +if (preg_match('/\b\w+\b/', $tag, $matches)) { + $action_tag = $matches[0]; +} +$action_url = $_SERVER['SCRIPT_NAME'] . "?" . $query_string . "&tag=" . $action_tag; + ?> + +

Enter your username and password:

Name:

Password:

From 6a2e5a4481f50ccced629c77200b47a5df80b7e0 Mon Sep 17 00:00:00 2001 From: jgillam Date: Wed, 23 Aug 2023 16:52:13 -0400 Subject: [PATCH 2/5] Improved styling on pages. --- src/basic/css/dojo-basic.css | 81 ++++++++++++++++++++++++++++---- src/basic/view-someones-blog.php | 3 +- 2 files changed, 75 insertions(+), 9 deletions(-) diff --git a/src/basic/css/dojo-basic.css b/src/basic/css/dojo-basic.css index f4525b5..9a4dda1 100644 --- a/src/basic/css/dojo-basic.css +++ b/src/basic/css/dojo-basic.css @@ -1,20 +1,31 @@ +body { + font-family: Arial, sans-serif; + color: #333333; + line-height: 1.6; + background-color: #ffffff; +} + #titlebar { text-align: center; - color: darkblue; - background-color: lightblue; + color: #ffffff; + background-color: #003366; + padding: 15px 0; } #footerbar { text-align: center; + padding: 10px 0; + background-color: #e6f7ff; } #title-error { - color: lightcoral; + color: #ff9900; /* Accent color for error messages */ } .sidenav { - color: dimgrey; - background-color: lightblue; + color: #333333; + background-color: #e6f7ff; + padding: 15px; } .menu-heading { @@ -22,14 +33,68 @@ } .nav-pills a { - color: darkslateblue; + color: #003366; + padding: 5px; + display: block; + transition: all 0.3s ease; } .nav-pills a:hover { - color:cornflowerblue; - background-color: beige; + color: #ff9900; + background-color: #f0f0f0; } .page-title { text-align: center; + font-size: 24px; +} + +input[type="text"], +input[type="password"] { + padding: 10px; + width: 100%; + margin: 5px 0; + border: 1px solid #ccc; +} + +input[type="submit"] { + padding: 10px 15px; + background-color: #ff9900; + color: #fff; + border: none; + cursor: pointer; + transition: all 0.3s ease; +} + +input[type="submit"]:hover { + background-color: #e68a00; /* Darker shade of orange */ +} + +.blog-controls { + display: flex; + align-items: center; + justify-content: flex-start; + margin-bottom: 20px; +} + +.blog-controls p { + margin-right: 10px; /* Add spacing between the label and the dropdown */ +} + +.blog-controls select { + margin-right: 10px; /* Add spacing between the dropdown and the submit button */ + padding: 5px; /* Add padding for a comfortable click area */ +} + +.blog-controls input[type="submit"] { + background-color: #ff9900; /* Accent color */ + color: #fff; + border: none; + padding: 5px 10px; + cursor: pointer; + transition: all 0.3s ease; +} + +.blog-controls input[type="submit"]:hover { + background-color: #e68a00; /* Darker shade of orange */ } diff --git a/src/basic/view-someones-blog.php b/src/basic/view-someones-blog.php index 9ecb9bf..992c1fa 100644 --- a/src/basic/view-someones-blog.php +++ b/src/basic/view-someones-blog.php @@ -6,6 +6,7 @@ $query = "SELECT * FROM accounts"; $result = $conn->query($query) or die(mysqli_error($conn) . '

SQL Statement:' . $query);; //echo $result; +echo '

'; echo '

Show only:'; +echo '

'; ?> Date: Wed, 23 Aug 2023 17:05:19 -0400 Subject: [PATCH 3/5] Added alert messages to user info update page. --- src/basic/user-info.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/basic/user-info.php b/src/basic/user-info.php index 21d3ebd..047a2eb 100644 --- a/src/basic/user-info.php +++ b/src/basic/user-info.php @@ -1,13 +1,21 @@

Account Details

"") { - $query = "UPDATE accounts SET password='" . $password . "', mysignature='" . $signature . "' WHERE cid='" . $cid . "'"; - $result = $conn->query($query) or die(mysqli_error($conn) . '

SQL Statement:' . $query); - header("Location: ".$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING']); + $query = "UPDATE accounts SET password='" . $password . "', mysignature='" . $signature . "' WHERE cid='" . $cid . "'"; + $result = $conn->query($query) or die(mysqli_error($conn) . '

SQL Statement:' . $query); + // Output success message that the information was updated + echo '

'; + // header("Location: ".$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING']); +} else { + // Output error message that the password must be filled in + if ($_SERVER['REQUEST_METHOD'] === 'POST') { + echo ''; + } } ?> From 25027ea1213ee9048a762a336ba452a5da218f50 Mon Sep 17 00:00:00 2001 From: jgillam Date: Wed, 23 Aug 2023 17:06:32 -0400 Subject: [PATCH 4/5] Removed "Play Snake" menu --- src/basic/header.php | 1 - 1 file changed, 1 deletion(-) diff --git a/src/basic/header.php b/src/basic/header.php index fc58fc5..76dddb5 100644 --- a/src/basic/header.php +++ b/src/basic/header.php @@ -120,7 +120,6 @@
  • Blog Entry
  • View Blogs
  • Reading Room
    • -
  • Play Snake
  • Logout

    • User Utilities

  • Browser Info
    • From f4ee0a1ff58f724b68bf875c5a2d6dfa254ad5bb Mon Sep 17 00:00:00 2001 From: jgillam Date: Wed, 23 Aug 2023 17:17:18 -0400 Subject: [PATCH 5/5] replaced favicon --- src/basic/favicon.ico | Bin 1150 -> 648 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/src/basic/favicon.ico b/src/basic/favicon.ico index 5a2aa24bc4c5a3c7441b23f4dd6ff41d2f083428..0a154f7f2ff402299938fefcc2a3aedd5f349269 100644 GIT binary patch literal 648 zcmV;30(boY0096201yxW0000W0CNHW02TlM0EtjeM+zDW0000DNk~Le0000G0000G z2m$~A0FaSrHUIzuI!Q!9RCt_~kk3n0Q546|yYJ4s@4h$wBBdWX7A__R97h!V2b@&G zmi_~_%i5SZZlr}~xvp?!f{5+ZTvp=7T)2?jWT;?Z&I?6iP#E7k_uk{;fkXw-cXiI; zdk)|8v4{x%N9?jP#%Qhoxo;U`EXyJy%d+AT5ykE0QR=9Yzp#opd~03f9=rOfB^Q&Up|0|Tz> z!p`1aTYLMhrlw*L)TdGa(AwHYM8?qc^h`rT3IJwjXJb&iySp&-WVpNMt|P>=iRbCt z8OH3&%IfW}JFz1Oe)RSAt*x!axQ>pF;K9R3CnrA}QjGv0y=1bYN(kA~(mMEfXkl^b z^z4j?%H?uQR%;C}U%l?{zkj1XC4_XP|J%E%#+#FqFSORN8xi@|=dCcppjdPqp|u(= zjGUi`@0OMh4h|BI69hq_Fmif&Ha0eV`eCs+I{MW2E2QUp io+pG@U0o$2M7#hif=N#=PF4~C0000#WQ>W literal 1150 zcmZQzU<5(|0R|wcz>vYhz#zuJz@P!dKp~(AL>x$w3=|a?O3BJDkSAFqPy-j&$y`Rp zpMMw_e*fd)Inhjt8G3q|lH%g4ziDb#{nOSi{Rd?KQBy0|A=V6a^{Pk{ldymG_V)il z*vu^OpSpTQA+h>}h3}*>F#P$?%K8$BU;GF9;Xgb3qdEfmnSk=zAT{FRd#o84{sHy< zhhss(lOa(3YCxI|%0{QefdWQaS`|z(GV_nJv%mPq%KG-7wDi*JT3W3fKsivfDxzyb zD1AR8N7ij|esS6f@#-`w2X z1we6-+dzO3h^4_SR08CGklnH%VMRs7G)VY6{8v>~1%(|*pD+;H05K~N;{q-~iC9rl zlLjuXEB`n+?);OGaGwAY17crXnlQyD7bC)dNjIiEP7zQz$1pGi1Tipt`NF{P{U-xM zCXmk%55#;pbs;1`VE~NZ>A-lpcZY%D{!<2q*#voObAF|Q2>fx4DhdhjpHBtHI6^z5%`4g8pj9hYaBoDuW