The search box (only thing I looked at, first thing everyone will try) is vulnerable to cross-site scripting; it checks clientside for non-alphanumeric characters, but if I submit the form directly through a proxy, I can get a results page with a Javascript popup on it.
It looks like I can read any message sent between users on the system. When you read messages, your backend locates the messages using a client-specified "mid" parameter. I sent a message to myself; it wound up with "mid" 51. 50, 49, 48 --- the system didn't generate errors when I tried to view them, but didn't show any content either. But when I asked for message ID 47, and clicked "forward" on the "empty" message, the message content textbox was populated. Ouch.
You may have some work to do on security before you start clearing transactions. Let me know if you'd like some advice.
Two other notes:
* Wow, signing up for an account was painful. Why do you need so much info from me just to get an account name? Also, why on earth does your PHP app care how I enter a phone number? I used dashes instead of parens, and you rejected it. Ouch ouch ouch.
* Have a copywriter --- they're cheap --- run over the whole site and fix the grammar and spelling.
It looks like I can read any message sent between users on the system. When you read messages, your backend locates the messages using a client-specified "mid" parameter. I sent a message to myself; it wound up with "mid" 51. 50, 49, 48 --- the system didn't generate errors when I tried to view them, but didn't show any content either. But when I asked for message ID 47, and clicked "forward" on the "empty" message, the message content textbox was populated. Ouch.
You may have some work to do on security before you start clearing transactions. Let me know if you'd like some advice.
Two other notes:
* Wow, signing up for an account was painful. Why do you need so much info from me just to get an account name? Also, why on earth does your PHP app care how I enter a phone number? I used dashes instead of parens, and you rejected it. Ouch ouch ouch.
* Have a copywriter --- they're cheap --- run over the whole site and fix the grammar and spelling.