I found
Chat2: Group Chat Room with PHP, jQuery, and a Text File
on the css tricks website
http://css-tricks.com/chat2/
and wondered if this is safe to use.
the script allows you to start chatting after choosing user name, my intention is to setup a chat room for each supported language.
Conversations are saved in a text file.
I looked at the different contributions but couldn't find any other one that is this simple.
I felt it would be easy to modify it and integrate it in the sidebar of a 2.3.1 installation.
Latest News: (loading..)
0
3 replies to this topic
#1
bruyndoncx
-
- Members
- 2,660 posts
Problem Thinker
- Real Name:Carine Bruyndoncx
- Gender:Female
- Location:Belgium/ Antwerp/ Turnhout/ Arendonk
Posted 02 June 2012 - 07:36 PM
Hava a nice day !
Carine Bruyndoncx
PS frustraded by the lack of feedback
<!--
Did you know 99% of all people benefiting from my posts, won't bother to repay the favor.
Wouldn't it be great if you are part of that exclusive 1% ?
post your findings in my responsive liive shop review thread ?
-->
Carine Bruyndoncx
PS frustraded by the lack of feedback
<!--
Did you know 99% of all people benefiting from my posts, won't bother to repay the favor.
Wouldn't it be great if you are part of that exclusive 1% ?
post your findings in my responsive liive shop review thread ?
-->
#2 ONLINE
kymation
-
- Community Sponsor
-
- 6,698 posts
Believers
- Real Name:Jim Keebaugh
- Gender:Male
- Location:Aberdeen WA USA
Posted 02 June 2012 - 08:09 PM
That page states that it has an unpatched security hole. It's a rather obvious one, so I don't think the designer knows much about security.
It stores chat data in a flat file, so that file must be writeable. I don't like using writeable files, particularly if they are where the user can discover them. Why not use the database?
An open chat room is inherently dangerous. It can be used for any purpose, including illegal transactions between users. Why do you want this, and does that justify the risk?
Regards
Jim
It stores chat data in a flat file, so that file must be writeable. I don't like using writeable files, particularly if they are where the user can discover them. Why not use the database?
An open chat room is inherently dangerous. It can be used for any purpose, including illegal transactions between users. Why do you want this, and does that justify the risk?
Regards
Jim
My Addons
Banners Box 2.3.x Support
Categories Accordion Box 2.3.x Support
Categories Images Box 2.2x 2.3.x Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3.x Support
Get 1 Free 2.2x Support
jQuery Banner Rotator 2.2x 2.3.x Support
Modular Front Page 2.3.x Support
Modular SEO Header Tags 2.3.x Support
MVS 2.2x Support
PDF Datasheet 2.3.x Support
Price Updater 2.2x
Products Specifications 2.2x 2.3.x Development Version Support Bugs/Suggestions
Request a Review 2.2x - 2.3.x Support
Similar Products Box 2.2x
Specials Image Overlay 2.3x Support
Theme Switcher 2.3.x Support
Banners Box 2.3.x Support
Categories Accordion Box 2.3.x Support
Categories Images Box 2.2x 2.3.x Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3.x Support
Get 1 Free 2.2x Support
jQuery Banner Rotator 2.2x 2.3.x Support
Modular Front Page 2.3.x Support
Modular SEO Header Tags 2.3.x Support
MVS 2.2x Support
PDF Datasheet 2.3.x Support
Price Updater 2.2x
Products Specifications 2.2x 2.3.x Development Version Support Bugs/Suggestions
Request a Review 2.2x - 2.3.x Support
Similar Products Box 2.2x
Specials Image Overlay 2.3x Support
Theme Switcher 2.3.x Support
#3
bruyndoncx
-
- Members
- 2,660 posts
Problem Thinker
- Real Name:Carine Bruyndoncx
- Gender:Female
- Location:Belgium/ Antwerp/ Turnhout/ Arendonk
Posted 02 June 2012 - 10:22 PM
suppose the text files are in a .htaccess secured directory,
the update.php file is amended like suggested:
Also, I'm puzled why the update logic is coded with a GET request, while the other ajax actions are done through POSTS.
Can you think of a reason why this is done, can't you do through POST anything you can do through GET (and more hidden variables ...) ?
I understand your point about openness, it could be an option to only allow it after registration on the site, but that would then create another barrier ...
the update.php file is amended like suggested:
// CONSIDER THIS SECURITY MEASURE ON WHERE THE
// FILE CAN ONLY BE CALLED VIA AJAX AND FROM SPECIFIC LOCATIONS
//
// if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_REFERER']!="http://your-site.com/path/to/chat.js") {
// die();
// }
Also, I'm puzled why the update logic is coded with a GET request, while the other ajax actions are done through POSTS.
Can you think of a reason why this is done, can't you do through POST anything you can do through GET (and more hidden variables ...) ?
I understand your point about openness, it could be an option to only allow it after registration on the site, but that would then create another barrier ...
Hava a nice day !
Carine Bruyndoncx
PS frustraded by the lack of feedback
<!--
Did you know 99% of all people benefiting from my posts, won't bother to repay the favor.
Wouldn't it be great if you are part of that exclusive 1% ?
post your findings in my responsive liive shop review thread ?
-->
Carine Bruyndoncx
PS frustraded by the lack of feedback
<!--
Did you know 99% of all people benefiting from my posts, won't bother to repay the favor.
Wouldn't it be great if you are part of that exclusive 1% ?
post your findings in my responsive liive shop review thread ?
-->
#4 ONLINE
kymation
-
- Community Sponsor
-
- 6,698 posts
Believers
- Real Name:Jim Keebaugh
- Gender:Male
- Location:Aberdeen WA USA
Posted 02 June 2012 - 11:16 PM
That doesn't look like much security. My browser is set to return HTTP_REFERER set to the current site, no matter what it is supposed to be. HTTP_X_REQUESTED_WITH is just another header field and can be altered by the sender as easily as HTTP_REFERER. Checking/scrubbing the data when it's received would be a better approach.
I have no idea why it's being sent as a GET. It's somewhat less secure that way. As I said, it doesn't look like security was a consideration in the design. Caveat emptor.
Regards
Jim
I have no idea why it's being sent as a GET. It's somewhat less secure that way. As I said, it doesn't look like security was a consideration in the design. Caveat emptor.
Regards
Jim
My Addons
Banners Box 2.3.x Support
Categories Accordion Box 2.3.x Support
Categories Images Box 2.2x 2.3.x Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3.x Support
Get 1 Free 2.2x Support
jQuery Banner Rotator 2.2x 2.3.x Support
Modular Front Page 2.3.x Support
Modular SEO Header Tags 2.3.x Support
MVS 2.2x Support
PDF Datasheet 2.3.x Support
Price Updater 2.2x
Products Specifications 2.2x 2.3.x Development Version Support Bugs/Suggestions
Request a Review 2.2x - 2.3.x Support
Similar Products Box 2.2x
Specials Image Overlay 2.3x Support
Theme Switcher 2.3.x Support
Banners Box 2.3.x Support
Categories Accordion Box 2.3.x Support
Categories Images Box 2.2x 2.3.x Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3.x Support
Get 1 Free 2.2x Support
jQuery Banner Rotator 2.2x 2.3.x Support
Modular Front Page 2.3.x Support
Modular SEO Header Tags 2.3.x Support
MVS 2.2x Support
PDF Datasheet 2.3.x Support
Price Updater 2.2x
Products Specifications 2.2x 2.3.x Development Version Support Bugs/Suggestions
Request a Review 2.2x - 2.3.x Support
Similar Products Box 2.2x
Specials Image Overlay 2.3x Support
Theme Switcher 2.3.x Support
