Guys/Gals,

I can't tell you how much I appreciate all your help with the beta testing. You guys have unconvered many bugs that I could not have found myself, and it's going to result in a much higher quality software package.

I have uploaded the latest beta version of the software (using the cool upgrade system I wrote), and most of the issues previously reported have been fixed. The most important fix is the character encoding issues (which would allow you to break a whole bunch of stuff by putting in characters from non-english character sets). These should all be worked out now, so you should be able to use any language you want (assuming it can be put into and out of utf-8).

NOTE: All the old characters you tried to put in that were broken are STILL broken, but all new text should work alright.

http://beta.massassi.net/

There are still some bugs I haven't resolved - either because I couldn't reproduce them or because I couldn't find a way to resolve them, or I didn't see the reports until just today. So here is a list of KNOWN bugs that I am in the process of fixing:

0000024 unclosed img tag breaks design - I can't reproduce this one anymore
0000038 user_id.php shows gives a wierd error and displays a little information about admin - confirmed, will fix
0000039 Problems with tag - color tag is not currently supported, but this bug report clearly finds problems - my balance_tags function is balancing things that look like tags, but aren't. Will fix
0000041 Show Last should have option for all threads - will fix
0000036 Profanity Filter doesn't work retroactively - good idea but not sure this will make it into this release
0000027 IE Design/registration confirmation issues - ALL HTML design issues will be put off till after I hire a designer to do the interface
0000026 case insensitive logins - this is an odd deal where MySQL isn't case sensitive. I'm not sure whether I'm going to try to fix this. It's really odd.
0000034 Character limit on sigs - agree I should do this, not sure how I want to (whether a hard limit or a limit set by the board admin) - will fix

Now, for those of you taking me seriously (still ;)) again, I appreciate all your help. If I can afford it once the software goes out, I'm going to send a small token of my appreciation to all beta testers. So if you are or have been helping me beta test this software (this beta, or the last two), PLEASE please please send an email to brian@massassi.net with the subject "I AM HELPING YOU BETA TEST" in all caps in the subject line and in the body of your message. I will keep those emails as a list of all those who helped me. Please make sure it's an address you will be able to get mail at in the next 2 months or so.

Thanks again,
Brian

I got this as soon as I clicked the link. I'm running Firefox 1.5.0.1 and Windows XP Pro.

I see a similar message:

That's supposed to be there. Read the last thread.

Sorry, debug messages. I will turn them off

In profile:

Setting the homepage to "sorrowind.net" or similar, without the http://, results in a url like http://beta.massassi.net/sorrowind.net

Which obviously doesn't work.

I can't get in the first two forums in that link.

I was able to hack the privacy system somewhat.

I can now send emails to private users (those not listing their email address).

All I did was copy the form code from a public profile, and added "http://beta.massassi.net/user.php?user_id=9" to action= (where user_id is the userid of the member you want to send an email to), in addition to modifying the <input name="user_id" value="9" type="hidden">.

I then saved it to my desktop, opened er up in firefox, and sent myself an email. I could easily see this being abused. There should be a check to make sure that private members cannot be sent email, period, from users.php.

It works fine for me in Firefox, but the main page layout is jumbled in IE.

Hmm... make the nav bar a bit more skinny. Say 75% the size it is now.

"Private registration" is confusing. Just say "Hide e-mail address from non-admins".

Might want to look into AJAX, which is fun and surprisingly easy. You can try putting bits in the signature pages... allow for editing of the list without reloading the page. You can even do neat stuff like making all sigs editable in a large table at once, and making the default column just a column of radio buttons, where clicking one immediately applies the effect.

For error #26, ummm... are you storing PASSWORDS or password HASHES in your db? Please tell me you're hashing them. I shouldn't need to tell you that storing passwords plaintext is a BAD IDEA. With PHP all you need is a $md5 (remember it has been cracked) or an $sha1.

About the hidden form field stuff:

Always assume hidden field elements can be changed (it's easy with Greasemonkey), and your "secret" urls are public knowledge.

My prof coded a bulletin board for a Cryptography class once. However, by manipulating hidden form fields you could easily log in as anyone without needing a password.

Basically he had it set up so one form field would be a "command" indicating to the script what the form was supposed to mean, and another would be the user initiating the command. Only authentication was used in the "login" command, and every link was a submit, and the hidden form fields passed the current user along with it. All that was needed was to change one of these and then navigate to the next page. Or I could change the "login" command to the "back to main page" command, and leave the password field blank and choose a username.

An even worse bug in it was that if you blanked the user field, it would log you in as the first registered user.

Another security loophole was that one of my friends in ITS had access to the webserver and looked up the text files he stored user info in. He encrypted passwords using a SIMPLE SUBSTITUTION CIPHER. Keep in mind this is CRYPTOGRAPHY CLASS, and we studied all the way up to RSA and the like. Considering we can effectively select plaintext to encrypt and view the encrypted result, it would not have taken long to break it if we had cared (remember, we alreadsy knew passwords weren't even needed). You'd think he'd at least have used a hashing function.

[QUOTE=The Mega-ZZTer]

My prof coded a bulletin board for a Cryptography class once. However, by manipulating hidden form fields you could easily log in as anyone without needing a password.

Basically he had it set up so one form field would be a "command" indicating to the script what the form was supposed to mean, and another would be the user initiating the command. Only authentication was used in the "login" command, and every link was a submit, and the hidden form fields passed the current user along with it. All that was needed was to change one of these and then navigate to the next page. Or I could change the "login" command to the "back to main page" command, and leave the password field blank and choose a username.

[/QUOTE]

I don't think Brian's stupid enough to only authenticate on one page :p that would totally defeat the purpose of sessions/cookies, which he (presumably) uses.

Hidden fields are easily abused but still useful and can be used in a way that minimizes abuse.

quick note though: on new thread (and post reply) pages, you can alter the hidden input "forum id" or whatever it is to make it post ina forum other than the one you're supposed to be replying to. I did this to every forum ID I could in an attempt to try to see if I could do this and post in a private forum that I'm not supposed to be able to access, but to no avail

(I did however post in a bunch of forums in matty's thing that weren't listed and that I could not find later )

Should admins be able to ban themselves?

I did it as a test.

Also, the profanity filter doesn't seem to work for signatures.

Not really a bug, but the message could be changed so as to better reflect what happened:

If you choose unsubscribe in the dropdown box on a thread, when you aren't subscribed, it says "Your subscription has been removed." anyway.

BIG bug:

Using this URL: http://beta.massassi.net/manage.php?action=post&task=remove&post_id=94

I can modify the "post_id" and delete any post in any forum. All I have to do is grab the post id from the URL you provide on each post (that chain icon).

I deleted 2 of your posts in the testing forum with this method

Another bug:

Error

Unfortunately, there was an error processing your request.
Error Number: 2
Error Message: preg_replace(): Unknown modifier '/'
Line Number: 142
File: /home/brian/sites/beta.massassi.net/classes/BFD_Filter.php
Processing time: 0.0415 seconds.
Array


I pulled this off by adding "/" to the word filter. It freaks it out apparently. (It'll cause that error on every reply, regardless of whether it actually has that slash in it or not)

Related to the bug above, adding "\" to the filter causes this error on new threads/replies, regardless of their content:

Error

Unfortunately, there was an error processing your request.
Error Number: 2
Error Message: preg_replace(): No ending delimiter '/' found
Line Number: 142
File: /home/brian/sites/beta.massassi.net/classes/BFD_Filter.php
Processing time: 0.03954 seconds.
Array

Adding bbcode code, or a character within bbcode to the filter renders the bbcode useless.

I added b to the filter, and my bold tags come out as [*]test[/*].

For the filter, I'd suggest lexing the input and skipping filtering if a bbcode expression is found. Those would have to come first in the lexer specification. Though when I think about it, the admin of the board should fix it by checking "filter whole word only". I don't know if that's something you'd want to tackle or not.

I also got the same error as CM when adding a / character to the filter.

\n didn't get filtered either.

[edit] Also, hitting delete filters with no boxes checked gives an error page.

Unfortunately, there was an error processing your request.
Error Number: 8
Error Message: Undefined index: filters
Line Number: 469
File: /home/brian/sites/beta.massassi.net/functions.php
Processing time: 0.02374 seconds.
Array

That should probably fail gracefully.

[edit again]
Adding \\n to the profanity filter creates
**
on every line.

I know I'm testing unlikely input into the filter, but I'm trying to be complete. Plus, it would be kind of fun to filter out everybody's quotation marks or something along those lines.

Also, filtering \" puts in a ton of asterisks.

[QUOTE=Cool Matty]BIG bug:

Using this URL: http://beta.massassi.net/manage.php?action=post&task=remove&post_id=94

I can modify the "post_id" and delete any post in any forum. All I have to do is grab the post id from the URL you provide on each post (that chain icon).

I deleted 2 of your posts in the testing forum with this method :D[/QUOTE]

Holy freaking crap. Yeah, I just confirmed this, this is a big problem. Probably not hard to fix.

Everyone else, I'm going to go through and confirm and add each of these to the mantis bug tracker. Thanks again, I really appreciate.

Brian

Also, have you all sent the email I requested? I only got two

awww, the sigs of doom are still broken,.. and i banned pommy >.>

shouldn't 'Latest Thread' be 'Latest Post'? because i'd rather have the newest post then thread

I just uploaded a fix for this. Thanks for catching that, huge hole.

I don't know. I thought latest thread was cooler.

Those were created before the character encoding issues were fixed. Thus, until the owners of those boards fix them, they will remain broken.

[QUOTE=Cool Matty]I was able to hack the privacy system somewhat.

I can now send emails to private users (those not listing their email address).

All I did was copy the form code from a public profile, and added "http://beta.massassi.net/user.php?user_id=9" to action= (where user_id is the userid of the member you want to send an email to), in addition to modifying the <input name="user_id" value="9" type="hidden">.

I then saved it to my desktop, opened er up in firefox, and sent myself an email. I could easily see this being abused. There should be a check to make sure that private members cannot be sent email, period, from users.php.[/QUOTE]
Good catch, I will fix that.

[QUOTE=Blood Asp]It works fine for me in Firefox, but the main page layout is jumbled in IE.[/QUOTE]
I'm going to be redoing the entire layout with an eye for prettiness and cross-browser compatibility. At that time, I will take care of layout issues. Until then, I am putting off fixing any layout bugs. Sorry

[QUOTE=The Mega-ZZTer]For error #26, ummm... are you storing PASSWORDS or password HASHES in your db? Please tell me you're hashing them. I shouldn't need to tell you that storing passwords plaintext is a BAD IDEA. With PHP all you need is a $md5 (remember it has been cracked) or an $sha1.[/quote] Well, it's the usernames that are all of a sudden not case sensitive. I bet the passwords are, too. It really pisses me off why MySQL thinks foo == FOO when it's clearly not the case. I haven't had the time to thoroughly investigate this yet.

[quote=The Mega-ZZTer]Always assume hidden field elements can be changed (it's easy with Greasemonkey), and your "secret" urls are public knowledge.[/quote]Yeah, I know. I thought I had been very thorough about this, but clearly in at least two places I missed it (the emails & the deletion of whole threads). I will fix these when I find them.

Well I guess it's a good thing I can't stop people from posting to forms and changing the input, that's the nature of the web. What I can do is make sure you don't can't post to things you don't have permission to post to. I think I have been good about that but maybe there are gaps?


Yeah so that confuses me, too. Are these them? http://beta.massassi.net/3/OMGTWO/

Admins can ban whoever they want. If they ban themselves, they are just banned from posting, they can still go back and unban themselves.

The profanity filter on sigs... HRM now there's an issue. This is an issue because people can have an account and use it to post to different boards. And things allowed on one board may not be allowed in another. So this means that perhaps the filtering should happen when the page is being rendered, rather than when the post is made.

But actually, I am storing the sig as part of the post, so fixing this now by just filtering it after the sig is appended will fix this problem.

[QUOTE=Cool Matty]Not really a bug, but the message could be changed so as to better reflect what happened:

If you choose unsubscribe in the dropdown box on a thread, when you aren't subscribed, it says "Your subscription has been removed." anyway.[/QUOTE]
I'm going to add this as low priority. I'm going to revamp the messaging system in a later version so it can be localized properly.

Has anyone been able to reproduce the bug where an unclosed/broken image tag breaks the entire design? I can't reproduce it anymore, and I can't find the old threads where it was happening.

well, i decided to do a doompost, and after 5 minutes of waiting for it to send, i've given up on that... till next try..

A quick note on the case-sensativitely issue, just prefix the column in the WHERE clause with BINARY:

SELECT * FROM Users WHERE BINARY UserName="CaSeSeNsAtIvE" AND UserPass=sha1($password)";

Alright, folks, I fixed and uploaded the fix for every reported bug except the following four, which I'm putting off for a while. Please go back and hammer it some more and make sure the things work. I really appreciate your help! Genki, I got your doomsig bug fixed.

0000051 weird input in profanity filter has weird results - if you ban the letter "b" for example, BOLD bb tags won't work - tis to be expected
0000026 case insensitive logins - not a big issue for now, it won't let you register both brian & BRIAN so no harm, no foul
0000027 IE Design/registration confirmation issues - will fix all design issues when I hire the designer
0000036 Profanity Filter doesn't work retroactively - it's not really supposed to, will consider doing it at a later date