bugs

Yeah I downloaded it yesterday (after finding the bugs) - but I don't think it's the latest version, is it?
I'll make some comments on the source code soon ;)
If you can't find what causes the bug/bugs I'll probably PM you, or tell you over irc.

Well, yesterday afternoon I implemented a mechanism that automatically zips up the latest version when we publish it to the server. So I guess you still got the old version.
(/rev.txt shows when the site was last published)

Since the bugs you found so far have no security impact at all, feel free to post here what causes them.
You see, Gizmore wrote 95% of the code. I just help out here and there with small things. So for me it's not so easy to immediately find the cause of the bug and any bit of extra info helps.

Meanwhile I did fix the non-object and mysql error bugs. I'm just going through the code looking for more places where you don't get a nice error message or other user-friendly behaviour. So expect another publish later today

Fatal error: Call to a member function getName() on a non-object in /home/gizmore/domains/wechall.net/public_html/graphs/historytotalscore.php on line

"Kender: Since the bugs you found so far have no security impact at all, feel free to post here what causes them." That's not the reason I chose not to post them here.
I have found multiple security issues.

Here's some more to keep you busy.
Fatal error: Call to a member function isEditAllowed() on a non-object in /home/gizmore/domains/wechall.net/public_html/form/links/edit.php on line 10

Fatal error: Class 'User' not found in /home/gizmore/domains/wechall.net/public_html/form/links/edit.php on line 2

Fatal error: Class 'User' not found in /home/gizmore/domains/wechall.net/public_html/form/links/edit_section.php on line 2


Fatal error: Class 'User' not found in /home/gizmore/domains/wechall.net/public_html/form/links/add.php on line 2


Fatal error: Class 'Common' not found in /home/gizmore/domains/wechall.net/public_html/form/links/add_section.php on line 3

Ah yes, when you access a page that is supposed to be included then you get an error. Not really a bug now is it?
I'm really too busy right now to build in nicer error messages for users that request the wrong pages. Perhaps I'll put it on the todo list for later.

Meanwhile, if you happen to find a real bug or even a vulnerability, please don't hesitate to share it with us.
We put a lot of effort in this site for you to use and enjoy, all we ask in return is that you help us out a bit when you find something wrong.

Quote Kender: "Not really a bug now is it?"
If you don't think a PHP fatal error is a "bug" then what is? (don't have to answer)
Fact is, you should make your scripts work without them generating errors, regardless of the method to generate it.

Quote Kender: "Meanwhile, if you happen to find a real bug or even a vulnerability, please don't hesitate to share it with us."
I don't know how to interpret that, (undermining the posted bugs I found?) but you wrote that message knowing that I have multiple XSS attacks in this site.

Quote Kender: "We put a lot of effort in this site for you to use and enjoy, all we ask in return is that you help us out a bit when you find something wrong."
Sure, I'll keep posting.

Quote Gizmore: "Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?"
Like I've said I'll teach you how to fix it if you can't do it yourselves.
Btw, <noscript> won't help you, that's not what noscript does.

Quote Gizmore: "@mals: Thanks for finding a real security problem "
It's okay, check the logs and you'll see I found about 3 more.

P.S: I added those links with my score at 0 or 1. (linked my HQ account after)