mohagames205 / flowpanel Goto Github PK

Instead of iniating a Database connection in every method, I will have to let it connect once in __construct

sql_files file will be updates as soon as possible.

I have found a huge security concern in the new update. I will fix this asap

This is because the database query is executed every time which will result in an error.

These are the features that I am currently working on! If you want other features then leave a comment.

• Adding audit log to the website

• Adding a permission system

• Making a registration system

Be wary of user data. A user can give the following username or reason:

<script>console.log("123")</script>

The script will then run for every user that visits the home page, since you echo that in the table without checking that the input isn't malicious. This type of attack is called XSS or cross-site scripting.

The username and reason are examples of stored XSS: you store the value the attacker gives you and later you distribute it to (other) users.

You also have a reflected XSS in your code. That is when an attacker can create a link that might execute code. In your example: home.php?naam=javascript_here. If an attacker can trick a user into going to that link, they can make that user execute whatever code they want.

Restricting the length of the possible usernames or reasons is not enough to mitigate malicious attacks. 255 characters is more than enough to steal someone's cookie, and thus their login (that's why a lot of sites ask you for your password again if you want to change it, even if you just logged in with it. That way even someone who stole your cookie can't change your password unless they knew it in the first place).

The moral of the story: "Never never never ever trust user input. Always assume the user is malicious."

Check every echo you do of user definable things. Add htmlspecialchars to those to sanitize them. Maybe penalise users that you suspect are trying to attack you. You might also want to check out CSRF and mitigations (samesite, CSRF tokens, ...) in further development.

Title

Because of a wrong path reference in my code, Flowpanel will only work if you put it in the root folder. Otherwise it won't work and you will get an error. I am investigating this issue and trying to fix it as fast as possible.

This is the line that throws the issue:

Permission system is non existant but I will add it soon. This will be a big update and will include bug fixes and the new permission system. For now everyone can change everyone's rank which is not smart