Jump to content

nelspruitdesign

New Members
  • Posts

    4
  • Joined

  • Last visited

nelspruitdesign's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. This is the so called vulnerability, The input fields.. Does this make sense to anybody? This is the ISP's response to my query as to where they saw the vulnerability in the script? Please check the following in xxxx.php: <strong>Social Media</strong><br /> Add your social media links here. <br /> Facebook Page: <input type="text" name="fb" /><br /> Twitter: <input type="text" name="twit" /><br /> Google Plus: <input type="text" name="plus" /><br /> Pinterest: <input type="text" name="pin" /><br /> You Tube: <input type="text" name="yout" /><br /> Linked In: <input type="text" name="linked" /><br /> Stumble Upon: <input type="text" name="stumb" /><br /> Flickr: <input type="text" name="flick" /><br /> The above allows the attacker to use a URL for instance as http://example.com/phpshell.php. When the form is submitted the malicious script will be fetched remotely. It is therefore advisable to exclude URLs from forms starting with http:// or ftp://. If you need to get a URL from your users, don't ask them for the full URL plus prefix; have them input "www.example.com" rather than "http://www.example.com", and add the schema prefix on the front programatically if you need it. Please let us know should you have any additional queries or if we may be of any further assistance. Keep well and have a lovely day further :-)
  2. According to my ISP this script is vulnerable to Remote File Injection attempt. I have sanitised all inputs, validated the inputs that are required, Can an input be validated and allowed to be NULL? What do I need to do to make this script bullet proof. Also can anyone recommend a good supplier of VPS hosting services at reasonable prices that are not going to break my scripts with continuous changes to the server. Please Help <? $logged = $_COOKIE["logged"]; $aka = $_COOKIE["aka"]; $suid = $_COOKIE["suid"]; If ($logged == 'yes') { ?> <script type="text/javascript"> function checkForm(form) { // validation fails if the input is blank if(form.dsho.value == '') { alert("Error: Short Description is required!"); form.dsho.focus(); return false; } if(form.metad.value == '') { alert("Error: metad is required!"); form.metad.focus(); return false; } if(form.titl.value == '') { alert("Error: a Title is required!"); form.titl.focus(); return false; } // validation was successful return true; } </script> <? $d = $_REQUEST["cat"]; $d = (mysql_real_escape_string($d)); $d = str_replace("&", "'", $d); $d = str_replace("'", """, $d); $d = str_replace("\"", "\", $d); $d = str_replace("+", "+", $d); $dsho = $_REQUEST["dsho"]; $dsho = (mysql_real_escape_string($dsho)); $dsho = str_replace("&", "'", $dsho); $dsho = str_replace("'", """, $dsho); $dsho = str_replace("\"", "\", $dsho); $dsho = str_replace("+", "+", $dsho); $titl = $_REQUEST["titl"]; $titl = (mysql_real_escape_string($titl)); $titl = str_replace("&", "'", $titl); $titl = str_replace("'", """, $titl); $titl = str_replace("\"", "\", $titl); $titl = str_replace("+", "+", $titl); $metad = $_REQUEST["metad"]; $metad = (mysql_real_escape_string($metad)); $metad = str_replace("&", "'", $metad); $metad = str_replace("'", """, $metad); $metad = str_replace("\"", "\", $metad); $metad = str_replace("+", "+", $metad); $tag = $_REQUEST["tag"]; $tag = (mysql_real_escape_string($tag)); $tag = str_replace("&", "'", $tag); $tag = str_replace("'", """, $tag); $tag = str_replace("\"", "\", $tag); $tag = str_replace("+", "+", $tag); $fb = $_REQUEST["fb"]; $fb = (mysql_real_escape_string($fb)); $fb = str_replace("&", "'", $fb); $fb = str_replace("'", """, $fb); $fb = str_replace("\"", "\", $fb); $fb = str_replace("+", "+", $fb); $twit = $_REQUEST["twit"]; $twit = (mysql_real_escape_string($twit)); $twit = str_replace("&", "'", $twit); $twit = str_replace("'", """, $twit); $twit = str_replace("\"", "\", $twit); $twit = str_replace("+", "+", $twit); $plus = $_REQUEST["plus"]; $plus = (mysql_real_escape_string($plus)); $plus = str_replace("&", "'", $plus); $plus = str_replace("'", """, $plus); $plus = str_replace("\"", "\", $plus); $plus = str_replace("+", "+", $plus); $flick = $_REQUEST["flick"]; $flick = (mysql_real_escape_string($flick)); $flick = str_replace("&", "'", $flick); $flick = str_replace("'", """, $flick); $flick = str_replace("\"", "\", $flick); $flick = str_replace("+", "+", $flick); $pin = $_REQUEST["pin"]; $pin = (mysql_real_escape_string($pin)); $pin = str_replace("&", "'", $pin); $pin = str_replace("'", """, $pin); $pin = str_replace("\"", "\", $pin); $pin = str_replace("+", "+", $pin); $yout = $_REQUEST["yout"]; $yout = (mysql_real_escape_string($yout)); $yout = str_replace("&", "'", $yout); $yout = str_replace("'", """, $yout); $yout = str_replace("\"", "\", $yout); $yout = str_replace("+", "+", $yout); $stumb = $_REQUEST["stumb"]; $stumb = (mysql_real_escape_string($stumb)); $stumb = str_replace("&", "'", $stumb); $stumb = str_replace("'", """, $stumb); $stumb = str_replace("\"", "\", $stumb); $stumb = str_replace("+", "+", $stumb); $linked = $_REQUEST["linked"]; $linked = (mysql_real_escape_string($linked)); $linked = str_replace("&", "'", $linked); $linked = str_replace("'", """, $linked); $linked = str_replace("\"", "\", $linked); $linked = str_replace("+", "+", $linked); $profile = $_REQUEST["profile"]; $profile = (mysql_real_escape_string($profile)); $profile = str_replace("&", "'", $profile); $profile = str_replace("'", """, $profile); $profile = str_replace("\"", "\", $profile); $profile = str_replace("+", "+", $profile); $spc = date("y/m/d", strtotime("+3 day")); include ("../constants/constants.php"); $title = $dtitle; $tags = $dtags; $metadesc = $dmetadesc; include ("../constants/header.php"); $sqlq = "SELECT * FROM xxxx WHERE id='".$suid."' LIMIT 0,1"; $objRS = mysql_query($sqlq); while($row = mysql_fetch_array($objRS, MYSQL_ASSOC)){ $ident = $row['id']; $addon = $row['addon']; } ?> <div id="contenti"> <div id="contwrap"> <div id="iwrap1"> <? If ($dsho != NULL) { $addon = $addon +5; If ($profile != NULL) { $addon = $addon +3; } If (strlen($profile) > 250) { $addon = $addon +3; } If (strlen($profile) > 500) { $addon = $addon +3; } If ($dsho != NULL) { $addon = $addon +2; } If ($titl != NULL) { $addon = $addon +2; } If ($tag != NULL) { $addon = $addon +2; } If ($fb != NULL) { $addon = $addon +1; } If ($twit != NULL) { $addon = $addon +1; } If ($flick != NULL) { $addon = $addon +1; } If ($plus != NULL) { $addon = $addon +1; } If ($stumb != NULL) { $addon = $addon +1; } If ($yout != NULL) { $addon = $addon +1; } If ($pin != NULL) { $addon = $addon +1; } If ($linked != NULL) { $addon = $addon +1; } $upd = "UPDATE xxxx SET fb='".$fb."', twitter='".$twit."', plus='".$plus."', linked='".$linked."', youtube='".$yout."', flickr='".$flick."', stumble='".$stumb.", pinterest='".$pin."', Description='".$profile."', Dshort='".$dsho."', Title='".$titl."', Metadesc='".$metad."', MetaTag='".$tag."', econf='1', status='1', addon='".$addon."' WHERE id=".$suid; mysql_query($upd); $inserter = "INSERT INTO xxxx (co, sc) VALUES ('".$suid."', '".$d."')"; mysql_query($inserter); ?> <div id="iwrap1d"> <h2>Success</h2> Some text here </div> <div id="iwrap1e"> <h2>Entry Status</h2> <? If ($addon >= '45') { echo "You have achieved the minimum content weighting and your profile is now published on xxxx"; } else { echo "You have not yet achieved the minimum content weighting and your profile needs more work before it will be published. Your rating is ".$addon." percent, Click here to update more information"; } } else { ?> <div id="iwrap1d"> Hi <? echo $aka; ?> Some text here </div> <div id="iwrap1e"> <h2>Update Profile</h2> <h2>Update Company Details</h2> Update your business details today. <br /> <form name="Update" action="xxxx.php" onsubmit="return checkForm(this);" method="post"> Short Description : <input type="text" name="dsho" /><br /> In 85 Characters describe your core business. <br /><br /> Title: <input type="text" name="tit1" /><br /> Up to 50 Characters What do you do and where? ie Plumber Nelspruit, Newts Drain and Plumb. <br /><br /> SEO Description: <input type="text" name="metad" /><br /> Up to 160 Characters Describe your core business using keywords, sentences not just keywords. <br /><br /> Tags: <input type="text" name="tag" /><br /> Up to 80 Characters Keywords that describe your service, comma seperated ie Plumber, Drain cleaning, Plumbing Maintenance, Plumbing Installations, Tap repairs <br /><br /> <strong>Add Profile</strong><br /> No contact details, websites or email addresses to be added in this section. Type up a minimum of a 50 word Profile to describe the business and it's services. Add a keyword list. <a href="examples.php" target="_blank">To see a few good examples click here</a><br /> <textarea cols="40" rows="10" name="profile"></textarea><br /><br /> Select Category: <select name="cat"> <? $sqld = "SELECT * FROM xxxx ORDER BY Name ASC"; $objRd = mysql_query($sqld); while($rowd = mysql_fetch_array($objRd, MYSQL_ASSOC)) { $si = $rowd['id']; $sn = $rowd['Name']; echo "<option value=".$si.">".$sn."</option>"; }?> </select> <br /> <strong>Social Media</strong><br /> Add your social media links here. <br /> Facebook Page: <input type="text" name="fb" /><br /> Twitter: <input type="text" name="twit" /><br /> Google Plus: <input type="text" name="plus" /><br /> Pinterest: <input type="text" name="pin" /><br /> You Tube: <input type="text" name="yout" /><br /> Linked In: <input type="text" name="linked" /><br /> Stumble Upon: <input type="text" name="stumb" /><br /> Flickr: <input type="text" name="flick" /><br /> <input type="submit" value="Register" /> <? } ?> </div></div></div> <? include ("../constants/rnav.php"); } else { ?> <div align="center"> <form name="Log_In" action="xxxx.php" method="post"> Username (email): <input type="text" name="uname" /><br /> Password <input type="password" name="upass" /><br /> <input type="hidden" name="ref" value="../submit/xxxx.php?a=<? echo $a; ?>/" /> <input type="submit" value="Log In" /> <? } ?>
  3. Jebus I hate my ISP, I put it in a different directory and now it works. Exactly the same code in one directory does squat and in another it gives me the results I want.
  4. Everything works except the cookies are not being set, any ideas?, Error reporting is that headers have already been set, I don't see it $uname = $_REQUEST["uname"]; $upass = $_REQUEST["upass"]; $ref = $_REQUEST["ref"]; $uname = str_replace("&", "'", $uname); $uname = str_replace("'", """, $uname); $uname = str_replace("\"", "\", $uname); $uname = str_replace("+", "+", $uname); $upass = str_replace("&", "'", $upass); $upass = str_replace("'", """, $upass); $upass = str_replace("\"", "\", $upass); $upass = str_replace("+", "+", $upass); If ($uname != NULL) { $username="xxxx"; $password="xxxx"; $database="xxxx"; $server="xxxx"; mysql_connect($server,$username,$password); @mysql_select_db($database) or die("Something is broken and needs fixing. Please contact us <a href=\"http://xxxx/contact..../contact.php\"> and report this</a>"); $sqlq="SELECT * FROM xxxx WHERE xxxx = '".$uname."' AND xxxx = '".$upass."' LIMIT 0,1"; $objRS = mysql_query($sqlq); while($row = mysql_fetch_array($objRS, MYSQL_ASSOC)){ $uname = $row["xxxx"]; $suid = $row["xxxx"]; $sname = $row["xxxx"]; $upass = $row["xxxxx"]; } $rows = mysql_num_rows($objRS); if (empty($rows)) { $title = "Log In"; include ("../navigation/header.php"); ?> <div id="contenti"> <div id="contwrap"> <div id="iwrap1"> <? ?> <h2> Log In Failed</h2> The username or password is incorrect, please try again <? } else { setcookie("suid",$suid, time()+14400); setcookie("aka",$sname, time()+14400); setcookie("logged","yes", time()+14400); $title = "Log In"; include ("../navigation/header.php"); ?> <div id="contenti"> <div id="contwrap"> <div id="iwrap1"> <? echo "You have succesfully logged in. <a href=\"".$ref."\">Click here to return to the previous page</a>"; } } else { header( 'Location: ../index.php' ) ; }
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.