Jump to content


Photo

My Reprogrammed CMS System


  • This topic is locked This topic is locked
9 replies to this topic

#1 ryanfilard

ryanfilard

    Advanced Member

  • Members
  • PipPipPip
  • 252 posts

Posted 15 March 2012 - 06:29 PM

Verification: http://goo.gl/yVLKm

Website: http://goo.gl/2aiey

Frontend Demo: http://goo.gl/UwHqS

Dashboard Demo: http://goo.gl/6Gr8X (Please don't delete the homepage.)
Username: admin
Password: pass

I just released the next major version of my CMS. I re-programmed from the start because the previous version had to many bugs. Can you test it for errors it would really help.

-Thanks
I host websites and development servers. PM me

#2 scootstah

scootstah

    Advanced Member

  • Gurus
  • 2,889 posts
  • LocationUSA

Posted 16 March 2012 - 08:17 AM

I didn't spend too much time on this but you are definitely vulnerable to CSRF attacks and I'm pretty sure SQL injection as well.
while(!$succeed = try());

#3 ryanfilard

ryanfilard

    Advanced Member

  • Members
  • PipPipPip
  • 252 posts

Posted 16 March 2012 - 02:05 PM

Before processing any sql if the user is not logged in it will not load the page.
I host websites and development servers. PM me

#4 scootstah

scootstah

    Advanced Member

  • Gurus
  • 2,889 posts
  • LocationUSA

Posted 16 March 2012 - 04:48 PM

I'm not sure which point you are responding to, but it doesn't apply to either.

Using SQL Injection commands I am able to make your database throw an error, although I wasn't able to actually force a log in.

And I successfully exploited a CSRF vulnerability with the settings page in your admin panel, though it should apply everywhere as there is no CSRF protection. It doesn't matter if the user is not logged in, because that's not how CSRF works.
while(!$succeed = try());

#5 Coreye

Coreye

    PHPHelpCenter.com

  • Members
  • PipPipPip
  • 537 posts
  • LocationFlorida

Posted 16 March 2012 - 09:34 PM

SQL Error:
http://2.0.demo.elematacms.com/?id='

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1


SQL Error:
http://2.0.demo.elem...t&type=page&id='

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1


SQL Error when deleting pages that don't exist:
http://2.0.demo.elem...ete&true=1&id=2

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/delete.php on line 13


Full  Path Disclosure:
http://2.0.demo.elem...com/?s=<h1>test

Notice: Undefined variable: row_settings in /home/elemata/20demo/functions/global.php on line 55

Warning: include(themes//search.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/functions/global.php on line 55

Warning: include(themes//search.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/functions/global.php on line 55

Warning: include() [function.include]: Failed opening 'themes//search.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/elemata/20demo/functions/global.php on line 55


Full Path Disclosure:
http://2.0.demo.elem...ons/replace.php

Warning: file_get_contents(includes/version.txt) [function.file-get-contents]: failed to open stream: No such file or directory in /home/elemata/20demo/functions/replace.php on line 5

Warning: file_get_contents(includes/login.html) [function.file-get-contents]: failed to open stream: No such file or directory in /home/elemata/20demo/functions/replace.php on line 5

Warning: file_get_contents(includes/clientip.php) [function.file-get-contents]: failed to open stream: No such file or directory in /home/elemata/20demo/functions/replace.php on line 5


Full Path Disclosure:
http://2.0.demo.elem...t/dashboard.php

Fatal error: Call to undefined function stats_unique_today() in /home/elemata/20demo/admin/content/dashboard.php on line 4


Full Path Disclosure:
http://2.0.demo.elem...t/edit_page.php

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/edit_page.php on line 1

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/edit_page.php on line 1

Warning: include() [function.include]: Failed opening '../Connections/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/elemata/20demo/admin/content/edit_page.php on line 1
Access Denied


Full Path Disclosure:
http://2.0.demo.elem...ntent/pages.php

Fatal error: Call to undefined function total_pages() in /home/elemata/20demo/admin/content/pages.php on line 3


Full Path Disclosure:
http://2.0.demo.elem...nt/settings.php

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/settings.php on line 1

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/settings.php on line 1

Warning: include() [function.include]: Failed opening '../Connections/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/elemata/20demo/admin/content/settings.php on line 1

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/settings.php on line 65

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/settings.php on line 67


Full Path Disclosure:
http://2.0.demo.elem...tent/themes.php

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/themes.php on line 4

Warning: include(../Connections/default.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/themes.php on line 4

Warning: include() [function.include]: Failed opening '../Connections/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/elemata/20demo/admin/content/themes.php on line 4

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/themes.php on line 7

Warning: mysql_query() [function.mysql-query]: Access denied for user 'elemata'@'localhost' (using password: NO) in /home/elemata/20demo/admin/content/themes.php on line 8

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/elemata/20demo/admin/content/themes.php on line 8

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/elemata/20demo/admin/content/themes.php on line 9

Warning: include(../themes//info.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/themes.php on line 12

Warning: include(../themes//info.php) [function.include]: failed to open stream: No such file or directory in /home/elemata/20demo/admin/content/themes.php on line 12

Warning: include() [function.include]: Failed opening '../themes//info.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/elemata/20demo/admin/content/themes.php on line 12

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/themes.php on line 36

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/elemata/20demo/admin/content/themes.php on line 38
Access denied for user 'elemata'@'localhost' (using password: NO)


Directory Listing:
http://2.0.demo.elem....com/functions/

Directory Listing:
http://2.0.demo.elem.../admin/content/

Directory Listing:
http://2.0.demo.elem...om/Connections/

PHP Help Center - PHP Help and Security Testing.  :)


#6 Ryanify

Ryanify

    Advanced Member

  • Members
  • PipPipPip
  • 329 posts

Posted 27 April 2012 - 06:00 PM

I found a lot.
Took around 10 minutes.
Posted Image
if ($human->ryan == true) {
echo "Yay I'm alive!";
} else {
die("Could not find human.");
}

#7 ryanfilard

ryanfilard

    Advanced Member

  • Members
  • PipPipPip
  • 252 posts

Posted 29 April 2013 - 03:01 PM

I am currently working on a newer version with a few other programmers. We fixed a lot of bugs and added a few features. It's not available for download yet but if you would like to see the progress http://elemata.com


I host websites and development servers. PM me

#8 SocialCloud

SocialCloud

    Advanced Member

  • Members
  • PipPipPip
  • 607 posts

Posted 01 May 2013 - 08:20 AM

Not necessarily related, but...

 

XSS via search box.  Search query is output onto the page without filtering.  SQL injection via home page URL.  index.php?id='

 

Couldn't help but try and see if you had an admin/ directory...and you did...and your username field is vulnerable to XSS


Edited by SocialCloud, 01 May 2013 - 08:22 AM.


#9 ryanfilard

ryanfilard

    Advanced Member

  • Members
  • PipPipPip
  • 252 posts

Posted 01 May 2013 - 03:48 PM

Thanks for pointing the injection out so I guess now I will add strip_tags to those form fields.


Edited by ryanfilard, 01 May 2013 - 03:49 PM.

I host websites and development servers. PM me

#10 darkfreaks

darkfreaks

    Advanced Member

  • Members
  • PipPipPip
  • 4,942 posts
  • LocationAustin,Texas

Posted 30 June 2013 - 12:54 AM

you still have XSS injection i suggest you output everything with htmlspecialchars()






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com