nakiami / mellivora Goto Github PK

Buttons are sometimes orange, sometimes blue. Either make them the same colour, or semantically differentiate the two types of button.

Another example is on the admin page

If there is an admin colour, make sure "Manage" is formatted differently, as it is an admin action

Another instance:

Don't display the hints for the questions by default and allow the deduction of points if a hint is displayed.

It would be a good to have partial/full grading depending on time of answer submission so that the first answer gets full credit, second gets 90% credit, third places gets 75% credit and everyone else gets 50% credit. The percentages should be configurable in the Manage menus. This would help prevent ties.

See if the site design can be improved

I assume this is a pager? If so, it's not necessary on a single page

Icons will improve this menu

Also this menu

If there are no challenges or categories, I just get a blank page

It's not intuitive to have to leave the page to test an email.

If there are multiple correct submissions for the same challenge for the same user, the user will get extra points for them. For example, if they have 3 answers marked correct for the same 50 point question, they will get 150 points instead of the 50 points they should get.

Repro:
Answer a challenge incorrectly twice. Manually mark both submissions correct. View the scores, and the individual score page. The user got double points for the challenge.

Just wanted to say a huge thank you for developing this. You're awesome for making it easy to set up, run, and host CTFs. That and almost two years of using it to teach hundreds of ITsec students.

Plus I recently saw it in use at Bsides Conference CTF. Well done.

Sorry for the misplacement of this, couldn't find the appropriate twitter acc.

Kudos!

GFW is blocked us all in China.
Just like reCAPTCHA，jQuery.
i replace the CDN http://libs.baidu.com/jquery/1.9.1/jquery.min.js
but the reCAPTCHA.. only rewritten with another Service Provider

Just say the problem that I met..
i will try to solve it : )
btw, thx for your CTF engine.

Hello,

I found two issues in the pager( ) function of the layout.inc.php file. I wanted to fix them myself ("DIY!"), and make my first pull request on Github, but each time, I encountered problems when modifying and replacing the file.

• A XSS vulnerability on the "Search" module, because $base_url is not filtered, i.e. with htmlspecialchars.

• Each time the Next or Prev buttons are clicked, $base_url is duplicated (2x then 4x 8x etc.)

... which, when we keep clicking on the Next button, leads to a very very long URI.

Steps to reproduce:

1. Create an account.
2. Enable 2FA.
3. Attempt to change password.
4. Enter OTP when prompted.

Expected result:

"Success" notification.

Actual result:

No notification. Upon logging out, old password works, new password does not.

This is made more problematic by not being able to disable 2FA from the user interface, and therefore having to disable 2FA via MySQL commands, then change the pw, then re-enable 2FA.

Most important date of post should be included. Author would also be useful.

In addition, news items need adequate padding.

Hey,

There is a logic bug in allowed_email() that prevents email rules from actually being enforced.

If email does not match any rule then email will be allowed because $allowedEmail is initialized to true.

When you save you immediately start editing. It's more likely that I want to see a preview, and then maybe edit it again afterwards.

Make sure there's an admin link back to edit the news item afterwards

Needs some client side and (and server side?) validation on date inputs

Also a date picker would be nice

Warning: get_browser(): browscap ini directive not set in /.../mellivora/include/general.inc.php on line 157

mellivora.sql

Line 84: code varchar(10) unsigned NOT NULL,

varchar should not be unsigned? Errors out in MySQL on import.

A disabled user can still make submissions. They cannot login, but they can still see the challenges and get points.

Repro:

• User: Register a new user.
• User: Login.
• Administrator: Login in another browser
• Administrator: Uncheck the "enabled" checkbox for the user and save.
• User: Submit an answer. View challenges. Etc.

Expected: User cannot make submissions since their account is not enabled.
Actual: User can make submissions.

how's add challenges? if possible please give me a little bit about the basis of the data on it! thank you

Num -> Number

hi,.. i'm just finished install mellivora, but there is an error at image below :

i'm using ubuntu mate for raspberry pi 2. Version php, mysql, apache2 no problem.
What i should do fix problem about " Caught exception connecting to database "
Thanks for response

I just spent like seven hours solving this, I'm better than awesome man

Most forms would benefit from some limits on content (for example, you can create a completely blank category)

It doesn't tell me much, and doesn't go away

Only 1 challenge is being showed on /challenges and submission button is not visible.

Challenge management

Challenge page
Only 1 challenge showed on this category, "Submission button is also missing"

Not sure if this is a bug or it has something to do with some settings.

Site exceptions store and record user credentials. Moderators can then see the list...Any possibility of a 'Clear Exceptions' functionality?

Even though it's CTF, it took me a while to figure out what was meant to go in here:

Automark could also be clearer

If there are multiple correct submissions to the same challenge by the same user, a persistent misleading SQL exception occurs. This does not happen for multiple incorrect submissions. The exception occurs while rendering the Challenges page, while attempting to render the challenge that has multiple correct submissions. The exception causes the user to be unable to view challenges in the same category that happen after the one with multiple correct submissions.

Exception text:

SQLSTATE[HY000]: General error: 2014 Cannot execute queries while other unbuffered queries are active. Consider using PDOStatement::fetchAll(). Alternatively, if your code is only ever going to run against mysql, you may enable query buffering by settin

Exception Trace:

    0 /var/www/mellivora/include/db.inc.php(179): PDOStatement->fetchAll(2) #1 /var/www/mellivora/include/db.inc.php(158): db_query('? SELECT? ...', Array, true) #2 /var/www/mellivora/htdocs/challenges.php(131): db_query_fetch_all('? SELECT? ...', Array) #3 {main}

Repro:
There are multiple ways that this can occur.

1. Setting a problematic question to manual grading. Then I marked as correct multiple correct answers from the same user. This is how I think it first showed up in our CTF.
2. Timing / race condition. Because we had 170 people participate in the CTF, sometimes it took a second for the server to respond. I don't know for sure, but I think we ran into this when they clicked multiple times on submit.
3. Merging accounts. Because of various problems some accounts needed to be merged. To merge them I did manual SQL to update the user_id in the submissions table so that the submissions came from the merged user, and deleted the old user. Again this caused multiple correct submissions for the same challenge and user.
4. Manual Repro. Just go into the database and insert multiple correct answers for the same user and challenge.

Fix:
Not sure yet. It should be easy to reproduce but I haven't looked at the code yet.

I noticed in a recent cleanup the SSL options were removed; is this functionality implemented elsewhere or for the user to input manually?

The cheat sheet for the bbcode section could be formatted more nicely

I recently did an "do-release-upgrade" on a Ubuntu 14.04 box with working mellivora installed and running. After the upgrade complete it was not working. I had issues then with php and MySQL not working when tyring to go to the website I had setup. After the update I had to reinstall php which installed php7.0 vs php5 , and then enable php7.0 in apache2 with a2enmod php7.0. After that the I was still having an error with mbstring and apache, which then I installed php7.0-mbstring things starting to work at least for showing the pages, but I got an MySQL error on the main page saying it cant connect to the Database. I then installed php-mysql and it started to work again.

I started to do some testing and now I am getting errors when I try to add a new challenge
[Mon Aug 22 10:34:04.146537 2016] [:error] [pid 4889] [client 192.168.153.131:47370] PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'points' at row 1 in /var/www/mellivora/include/db.inc.php:41\nStack trace:\n#0 /var/www/mellivora/include/db.inc.php(41): PDOStatement->execute(Array)\n#1 /var/www/mellivora/htdocs/admin/actions/new_challenge.php(34): db_insert('challenges', Array)\n#2 {main}, referer: http://192.168.153.131/admin/new_challenge.php?category=8

It looks like some validation checking happening and it is failing if you don't fill in everything in the form. If you enter items into all the text boxes it seems to work fine. I checked the database and it does have the default values listed, but it seems like there is some validation checking going on.

To fix the issue I edited the php code in the new_challenge.php to match the "defaults" expected in the DB. After doing that it works ok.

I would like to suggest that you add a default value page for category and challenges on the manage page. This way you could also set some of the values like available from and until for questions. It also would fill in the page with defaults when you load it too.

Thanks for all the work on mellivora also.

l

I have to navigate back to actually do anything after failing to confirm category deletion

There is no 'Relies on' field in 'new challenge' page. So, 'relies_on' field did not have default value and creating new challenge without that field produce error because of there is no default value for this field and value for this field was not provide.

We were trying to translate the interface to Spanish but there are some issues that imply rewriting too much code making updates being crazy. Although we have translated the whole interface to Spanish, we feel it would be interesting to upload those texts onto some sort of .xml files to let the language be selected by the user in their profile page for instance. Is anyone working on something similar?

On first glance I have no idea what I'm creating

First thing I see after creating a category is the option to edit and delete it. Delete has a big fat warning. I instantly think I did something wrong, but apparently it worked.

Is there a way to allow multiply correct answers for a question? I would like to ask something like what windows program allows you to get the network address of a windows box at a command prompt? Then I would allow ipconfig, ipconfig.exe for the answers.

thanks

Once a user has logged in, they should be taken to the challenges page. There should be some help information instructing them what to do.

Feature request or its already present?

Manage to enable / disable registration.

Thanks...

The buttons don't have adequate padding, and they're out of line on each line of text

In reference to issue #41, I get the same SQL exception if I have multiple ungraded answers as well. I have added the limit 1 to both subqueries (for ungraded as well as correct) and the error goes away. This seems like a bandaid though rather than a real solution.

Our business goal is to actually allow, somehow, multiple correct answers. For instance, "List all of the URLs where you found the correct answer to the challenge." For that sort of answer, there needs to be more than one correct answer, especially with social engineering research, and allowing multiple answers for partial credit (maybe 10 points for the question if you get all 10 URLs and 1 point for each valid answer) would be great.

When there are no challenges, there is a heap of whitespace

Maybe make a message or a blank slate that indicates that no challenges are available at the current time.