http://www.gmhi.org/
All of the content is easily editable through cmsms. Most tags of each type have been styled to make adding content in a manner that looks consistent a breeze. The gallery also using the gallery template allows for adding a new image to the slider along with new text a breeze.
Let me know what you guys think.
By the way, I encourage all of you readers to donate. They are doing really good things for those in need.
These are the modules in use.
CGSimpleSmarty
1.4.8
Gallery
1.4.4
CGExtensions
1.26.3
FormBuilder
0.7
CGBlog
1.7.5
Awesome customized website for non - profit organization
Re: Awesome customized website for non - profit organization
I added a bit more polish to it.
Let me know what you guys think
Let me know what you guys think
Re: Awesome customized website for non - profit organization
nyandres,
FormBuilder is vulnerable to XSS attacks.
You must fix this problem in FormBuilder's templates or not use FormBuilder at all, because the default settings are highly unsafe.
A nice little demo on request.
Best regards,
David
FormBuilder is vulnerable to XSS attacks.
You must fix this problem in FormBuilder's templates or not use FormBuilder at all, because the default settings are highly unsafe.
A nice little demo on request.
Best regards,
David
Re: Awesome customized website for non - profit organization
Care to explain?dwave wrote:the default settings are highly unsafe.
Make your community a better place!
Re: Awesome customized website for non - profit organization
Sure.
Almost every variable in the Submission template of the default template set is unsafe and susceptible to Cross Site Scripting attacks.
The fix would be not to echo any user variables at all or to sanitize them first with PHP's strip_tags. And don't use Smarty's strip_tags, it's broken and also unsafe.
POC:
You'll have to adjust your variable names accordingly. You understand that I cannot post a working proof of concept here, but you get the idea.
Almost every variable in the Submission template of the default template set is unsafe and susceptible to Cross Site Scripting attacks.
The fix would be not to echo any user variables at all or to sanitize them first with PHP's strip_tags. And don't use Smarty's strip_tags, it's broken and also unsafe.
POC:
Code: Select all
http://[domain].[tld]/index.php?mact=FormBuilder,cntnt01,default,0&cntnt01returnid=68&cntnt01fbrp_callcount=1&cntnt01form_id=5&cntnt01fbrp_continue=2&cntnt01fbrp_done=1&cntnt01fbrp__39=<h1><xss3&cntnt01fbrp__40=2&cntnt01fbrp__41=nil&cntnt01fbrp__42=nil&cntnt01fbrp__43=your@email.com&cntnt01fbrp__44=00000&cntnt01fbrp__47=</__body+onload=alert(document.cookie);cntnt01fbrp_submit=Sent
Re: Awesome customized website for non - profit organization
Hi Dwave,
So using "pretty URL's" would be secure?
pretty URL ex:
"http://www.domain.com/contact-us/"
After submitting the form the URL stays the same
ps: don't think this matters but no information the user submitted is being shown on the form result page.
Greetings,
Manuel
So using "pretty URL's" would be secure?
pretty URL ex:
"http://www.domain.com/contact-us/"
After submitting the form the URL stays the same
ps: don't think this matters but no information the user submitted is being shown on the form result page.
Greetings,
Manuel
Re: Awesome customized website for non - profit organization
Hi,
Nice site, but I can't use the Contact link in the main menu in the index page, it is in a second line behind the slider. I can use it in the ohter pages even though still appears in a second line .
I use a resolution of 1280x800 and FF.
All the best.
A.
Nice site, but I can't use the Contact link in the main menu in the index page, it is in a second line behind the slider. I can use it in the ohter pages even though still appears in a second line .
I use a resolution of 1280x800 and FF.
All the best.
A.
- Attachments
-
