So, the activity on this forum goes in swells, and it pretty much only happens when I upload a new revision. However, it seems that a lot of you assume that everything is working properly, and when you test things, it's limited to "what can I successfully post?"

There is a lot more that goes into debugging, and I know a few of you have stretched outside of the box and tried to break some of the other forms on the site (thank you for that, btw), but a lot of you seem to have given up.

So, having dealt with a lot of hackers in the past, I know of a bunch of things you can try, and I'm going to outline a few of them here (not the majorly scary ones, of course, since I'll be tackling those myself for sure) in the hopes that some of you can try them out and see what happens:

1. Click to edit a comment. Once you can see your comment in the edit form, change the comment id in the querystring to one that doesn't belong to you and see if it allows you to edit. There are many different places you can try this type of thing. Another example: when editing your account.

2. The search form uses a lot of string parsing, and could possibly have a hole in it that would allow SQL injection. Try messing about with what you enter - things like single and double quotes, backslashes, and non-typable characters could give you some strange results.

3. Again with the search form, pay particular attention to the things that go into the keywords input after you run an advanced search. Try messing about with those special strings and see what you can come up with.

4. For those of you brave enough, there is a /tools folder that contains a lot of the functionality that is handled through xmlhttp requests. If you dig through the javascript files, you can find the various files in the tools directory and you can attempt to access those files directly to see if you can get some ill-effects.

5. Derrickito and a few others were able to successfully sign in WITHOUT using the sign in form because of an error that occurred in the "reset your password" system. I have no idea how, or why it signed them in. I was only able to correct the problem that the password reset system was having (not validating the credentials from their email). There may be a hole here whereby you can gain access to the system by entering bogus information into the querystring.

Those are a few items to tinker with if you're bored. I know that if no-one else does it, I'm going to have to do it myself before this thing is released. So, if you want Vanilla out sooner than later, please have a go at these.

banz0r

ok, here's what i tried so far:

- changing the numbers in the edit comments string. the only ones i am able to jump to are my own.
- inserting odd characters/mysql strings into the search.
- messing with the cookies to try to enable admin rights.

nope, nothing happened with any of it. it seemed that the search stripped out anything i would put in there and messing with the cookies just made me log out.

The page is too stupid??

Hi all,

One small question... When I open this thread in a new tab in Firefox I get a page call "The page is too stupid" does anyone else get that?

that doesnt happen for me either? haha

the profile edit page can show other user data by adjusting the querystring. I've whispered the info to you, Mark.

/me lurks

not much, deel. just trying to stay sane and hack this bitchin' ass forum.

Is that a womans robe ? hmmm?

Both I'd say...