Static Audit Notes

notes

  • add google analytics to static version
  • other best practices? TODO
  • security issues
    • File: D:\xampp\htdocs\stariumxcv.dev\functions\templates\template.php
    • Line: 8
    • Desc: possible insecure retrieval of module name from url via _SERVER["SCRIPT_FILENAME"]
    • Risk: unknown/possible XSS
      • in template.php line 63 we echo the contents of $module, which are set by getting data from the URL. Possible XSS vuln.
    • Solution: Create a whitelest of module names that we check _SERVER["SCRIPT_FILENAME"] against to validate it
  • incomplete code
    • File: D:\xampp\htdocs\stariumxcv.dev\functions\config\config.php
    • Line: 25
    • Desc: function meta_info ($module) is incomplete
    • Todo: discusss implementation
  • todo for static version
    • 1
      • File: template.php
      • Line: 63
      • Desc: Update to call clientcore start(window, 'home');
    • 2
      • File: D:\xampp\htdocs\stariumxcv.dev\public_html\library\clientcore.js
      • List
        • extract unnecessary code for home module
        • what code does home module need?
          • 1
            • line: 770
            • desc: is module displayed
          • 2
            • line: 870, 889
            • desc: ismobile, findOrientation
          • 3
            • line: 1098
            • desc: _Core object literal. contains functions that should be evaluated...
              • _listeners
              • addListener
              • fireEvent
              • removeListener
              • message
                • loads file: D:\xampp\htdocs\stariumxcv.dev\public_html\library\main.php
              • getData
                • SUBMITS POST REQUESTS. check all calls to this function
              • moduleRegistration
                • loads files via
              • ``
              • ``
              • ``
          • 4
            • line: 1613
            • desc: handleImages
Previous Page