Coreye

Cross Site Scripting (XSS): You can submit ">code when editing your profile and it will execute on the members list and when viewing profiles.

Any body else getting redirected there when on the forums? <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://xsaimex.net"> is in the code like 7 times...

What's the error they are getting?

You could do something like if(!is_numeric($_GET['id'])) { $_GET['id'] = '1'; /* Set the default ID to 1 if a non-numeric character is used. */ } or if(!is_numeric($id)) { $id = '1'; /* Set the default ID to 1 if a non-numeric character is used. */ } depending on the method you use. I also PMed you another security issue.

Cross Site Scripting (XSS): The 'Name' field is vulnerable to XSS attacks when editing a user's profile. Cross Site Scripting (XSS): The 'Website' field is vulnerable to XSS attacks when editing a user's profile. Cross Site Scripting (XSS): http://www.futurehost.org/search.php?q="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/index.php?note="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/mcenter.php?action=compose&name="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/mcenter.php?action=compose&subject="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/mcenter.php?note="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/editprofile.php?note="><marquee><h1>test Cross Site Scripting (XSS): http://www.futurehost.org/main.php?note="><marquee><h1>test Full Path Disclosure: http://www.futurehost.org/profile.php?id=a

I don't see it. Do we have to login to see it? I viewed the source and there is no PHPFreaks.com profile link. It would be best if it was on the index.

Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/down.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/getartists.php?cat=Pop&sort[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/profile.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/befriend.php?friend[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/deletecomment.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/comments.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/friends.php?page[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/manageuploads.php?action[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/gallery.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/report.php?id[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/listfriends.php?view[] Full Path Disclosure: http://www.mybbmultiforums.com/mvinstall2/pages.php?page[]

Where?

Here's some information about it: http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html.

Seems to work now... it worked for a little bit earlier though also... then it started not working again.

I'm getting the same thing :/. It just started a few minutes ago. When you visit the "Google's Safe Browsing diagnostic page" from the link they give it says

Cross Site Scripting(XSS): You can submit ">code in the username when registering and it executes after you login. Full Path Disclosure: http://twistablepie.servegame.com/cype/?cype=main&page=ranking&order=&job[] Full Path Disclosure: http://twistablepie.servegame.com/cype/sources/public/ranking.php Full Path Disclosure: http://twistablepie.servegame.com/cype/sources/public/news.php Full Path Disclosure: http://twistablepie.servegame.com/cype/sources/public/events.php Full Path Disclosure: When you press submit on http://twistablepie.servegame.com/cype/sources/public/register.php Full Path Disclosure: When you press submit on http://twistablepie.servegame.com/cype/sources/public/login.php Full Path Disclosure: http://twistablepie.servegame.com/cype/sources/public/members.php Full Path Disclosure: http://twistablepie.servegame.com/cype/?cype=main&page=members&name[] Full Path Disclosure: http://twistablepie.servegame.com/cype/?cype=main&page=news&id[] Full Path Disclosure: http://twistablepie.servegame.com/cype/sources/public/banned.php

Is the forum down on purpose or are you going to use third party software for it?

When I made that post I didn't see any link to your profile on there. Either way, the above link is no longer active so this post can be marked as solved and locked.

Please read this thread: http://www.phpfreaks.com/forums/index.php/topic,232470.0.html.

It's kind of hard to critique a website when we don't know the link of the website you want us to look at.

Full Path Disclosure: http://testing.scriptingsource.com/admin/active.php?user[] Full Path Disclosure: http://testing.scriptingsource.com/admin/active.php?user=blocked&check[]

I use http://www.hyperspin.com and http://www.siteuptime.com. Both are pretty good.

From: http://www.phpfreaks.com/forums/index.php/topic,232470.0.html.

Please follow this post: http://www.phpfreaks.com/forums/index.php/topic,231599.0.html. Thanks, Corey.

Please follow this post: http://www.phpfreaks.com/forums/index.php/topic,231599.0.html. Thanks, Corey.

Cross Site Scripting(XSS): You can submit ">code when you register and and it will execute after you login. Cross Site Scripting(XSS): http://websiteconstructionteam.com/phptesting/mobile-social-networking/profile.php?user="><marquee><h1>test Full Path Disclosure: http://websiteconstructionteam.com/phptesting/mobile-social-networking/newblog.php Full Path Disclosure: http://websiteconstructionteam.com/phptesting/mobile-social-networking/newmsg.php?to= Full Path Disclosure: http://websiteconstructionteam.com/phptesting/mobile-social-networking/inbox.php

Please follow this post: http://www.phpfreaks.com/forums/index.php/topic,231599.0.html. Thanks, Corey.

Do you have a test account we could use for testing purposes?

Please follow this post: http://www.phpfreaks.com/forums/index.php/topic,231599.0.html. Thanks, Corey.