Coreye

Should add if( basename( __FILE__ ) == basename( $_SERVER['PHP_SELF'] ) ) { exit(); } or defined('DIRECT_ACCESS') || die("Don't access this file directly."); At the top of admin.php.

Full Path Disclosure: http://76.98.141.11/game/index.php?act[] Full Path Disclosure - SQL Error: http://76.98.141.11/game/index.php?act=profile&id=' Full Path Disclosure: http://76.98.141.11/game/index.php?act=profile&id[] SQL: http://76.98.141.11/game/index.php?act=profile&id=a Full Path Disclosure: http://76.98.141.11/game/index.php?act=report&id[] Full Path Disclosure: http://76.98.141.11/game/admin.php

Full Path Disclosure: http://versatilebb.com/demo/forum.php?target=/ Cross Site Scripting: http://versatilebb.com/demo/index.php?target=profile&select=%22%3E%3Cmarquee%3E%3Ch1%3ECorey Cross Site Scripting: Theres Cross Site Scripting if your post contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Email:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Email repeat' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Homepage' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'ICQ:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'AIM:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Yahoo:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'MSN:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing add a forum board if the name or description contains ">code.

Try: <?php $con = mysql_connect("localhost","user","pass"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("database", $con); mysql_query("UPDATE `private_messages` SET `read`='Yes' WHERE `id`='" . $_GET['id'] . "')or die(mysql_error()); mysql_close($con); ?>

Full Path Disclosure: http://www.empirecrest.com/security-image.php?width=/

Do XXXXX for the links as I requested please. . and Rohan Shenoy, I'm just BETA testing this for someone. I have there permission though. Thanks for finding some, Corey

Known Bug: Array: XXXXXXXX.com/register.php?r[]

Hey guys, I need you to try and find all the vulnerabilities and security holes you can on this site: http://tinyurl.com/2oxrx6. There is many forms and other features to test for holes. Let me know if you find anything. If you do find anything, please do XXXXX for the links. If you don't want to register you can use these. I would prefer you register and test the register form for vulnerabilities as well as the rest of the site. Username: demo Password: demopass Thanks, Corey

Cross Site Scripting vulnerabilities have nothing to do with captcha or spamming problems. Cross Site Scripting is commonly known as XSS for short. You should search Google on what can happen if you leave your site open to XSS attacks. As for "User Enumeration" read this: http://www.securityspace.com/smysecure/catid.html?id=10766.

You can create really long tags that end up stretching the page. You can enter blank inputs for the Author, Tags and Caption fields.

I tested www.verjaardagscadeau.com. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contains ">code. Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/cadeau_bestellen.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/checkout.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/faq.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/kiescadeau.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/mijn_bestellingen.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/mijn_gegevens.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_cld.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_invoeren_stap1.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_invoeren_stap2.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_list.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_viewcld.php Full Path Disclosure: http://verjaardagscadeau.com/sites/default/pages/vj_viewlist.php

Cross Site Scripting: http://www.rovexchange.com/forgotpasswd.php There is Cross Site Scripting if you enter a username that contains ">code.

Full Ptah Disclosure: http://livedemo.clip-bucket.com/includes/classes/TFile.php

Cross Site Scripting: You can submit ">code when registering.

People usually just reply in this section if there are holes. Anyways, I went there it worked for about 5 minutes.. then it stopped loading. Once it came back up I found some things you should work on. Includes Directory: http://www.osflv.com/wp-admin/includes/ Full Path Disclosure: http://www.osflv.com/wp-admin/admin-footer.php Full Path Disclosure: http://www.osflv.com/wp-admin/admin-functions.php Full Path Disclosure: http://www.osflv.com/wp-admin/menu-header.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/admin.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/file.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/misc.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/schema.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/update.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/upgrade.php Full Path Disclosure: http://www.osflv.com/wp-admin/includes/upload.php Full Path Disclosure: http://www.osflv.com/wp-admin/import/blogger.php Full Path Disclosure: http://www.osflv.com/wp-admin/import/blogware.php Full Path Disclosure: http://www.osflv.com/wp-admin/import/btt.php Full Path Disclosure: http://www.osflv.com/wp-includes/bookmark.php Full Path Disclosure: http://www.osflv.com/wp-includes/canonical.php Full Path Disclosure: http://www.osflv.com/wp-includes/registration-functions.php Full Path Disclosure: Full Path Disclosure: http://www.osflv.com/wp-includes/script-loader.php Full Path Disclosure: http://www.osflv.com/wp-includes/template-loader.php Full Path Disclosure: http://www.osflv.com/wp-includes/update.php Theres probably 100 more...

Cross Site Scripting: You can submit ">code on http://wiicharged.com/index.php?action=hubs;sa=join;

Cross Site Scripting: You can submit ">code on http://www.wiicharged.com/hubchat/popup.php and http://www.wiicharged.com/hubs/popup.php. Cross Site Scripting: You can submit ">code on http://www.wiicharged.com/hubchat/make.php and http://www.wiicharged.com/hubs/make.php.

For PHP help use this board; http://www.phpfreaks.com/forums/index.php/board,1.0.html.

Registration errors Full Path Disclosure still.

Hey, What are the spelling errors, besides 'uniqueue'? Thanks, Corey

Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting when you login if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting when editing your profile if the fields contain ">code.

All fixed. Thanks

Hey guys, Let me know what you find. Link: http://www.wikiproxy.net Thanks, Corey

Only thing that was fixed was; Full path Disclosure: http://tune.pk/view_channel.php?user=%3E All of the others still exist.

Full Path Disclosure: http://tune.pk/view_channel.php?user=%3E Warning: Cookie names can not contain any of the folllowing '=,; \t\r\n\013\014' (view_>) in /home/tuneepk/public_html/includes/classes/user.class.php on line 439