policosmos

Thanks! That was so easy.

I'm working on an idea to grab data from a text file with a bunch of space separated values that contains data from buoy reports at NOAA. Unlike their weather feeds, they don't serve up XML buoy data. Here's the file I'm trying to grab: http://www.ndbc.noaa.gov/data/realtime2/41004.spec I've tried several methods, and the one that seemed to have the most promise tried to make a socket connection: <?php $host = "http://www.ndbc.noaa.gov"; $page = "/data/realtime2/41004.spec"; $fp = fsockopen($host, 80, $errno, $errdesc) or die("Connection to $host failed"); $request = "GET $page HTTP/1.0&#92;r&#92;n"; $request .= "Host: $host&#92;r&#92;n"; $request .= "Referer: $host&#92;r&#92;n"; fputs($fp, $request); while(!feof($fp)){ $page[] = fgets($fp, 1024); } fclose($fp); for($i=0; $i < count($page); $i++){ $data .= $page[$i]; } ?> But all I get is this: I've been flailing around for a few hours now, but I'm out of new ideas. Once I get the data, I'm planning to throw it all into an array and/or MySQL db and only grab it once per hour max. And go from there. Any ideas?

No all that page does is prove that there's a "users" table and that the column is "password". To actually get the passwords you need to use blind sql fishing, where you query the database one character at a time. But I didn't think you'd want me to do that... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users pretty much definitely means that users could query the db to get the passwords from the users table... so you should just fix it k K. Just asking. Trying to understand this side of it all. So ... I just noticed that despite me not having touched the registration script, registrations no longer work. The only thing I did was to upgrade from cPanel 10 to 11. I'm baffled. Everything looks fine in the browser, but it no longer adds users to the DB. WTF. Nevermind! The developer is an idiot. I changed a table in the DB and forgot to update the reg script. Duh.

No all that page does is prove that there's a "users" table and that the column is "password". To actually get the passwords you need to use blind sql fishing, where you query the database one character at a time. But I didn't think you'd want me to do that... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users pretty much definitely means that users could query the db to get the passwords from the users table... so you should just fix it k K. Just asking. Trying to understand this side of it all. So ... I just noticed that despite me not having touched the registration script, registrations no longer work. The only thing I did was to upgrade from cPanel 10 to 11. I'm baffled. Everything looks fine in the browser, but it no longer adds users to the DB. WTF.

How is that query exploitable? When I run it, all it outputs is what it should. Or am I not seeing the result?

Thanks, but how is mysql_real_escape_string() going to prevent this injection?: http://www.policosmos.com/blog.php?delete=36 AND 1=1

So putting those GETs in single quotes when they go to the query will take care of the injection issues, right?

Ack! I see why these XSS vulnerabilities are still there. Only cleaned stuff that goes to screen when it comes from DB. Have to go back and remove tags from GETs. Bleh. More work. :'(

Looks like you got into the DB ... am I right? BTW, agentsteal, you rock. If this thing ever gets big, I'll be sure to reward you

UPDATE: After a few months on the back burner, I've been shoring up the site. Should have closed all the XSS holes. If anyone wants to come check out the site again and give me some feedback, I'd appreciate it! http://www.policosmos.com Test account is user: trial@policosmos.com / password: password

Thanks! I can't wait to get it done!!!

p.s. - Could you have gotten me banned from sending mail from this script to hotmail? First I thought the mail() function wasn't working, then I realized I was only having problems sending to my hotmail acct.

Wow, I knew I was going to have security issues, but I didn't know it would be so easy. I was going to guess something like htmlspecialchars() would take care of any tags, but you've clearly demonstrated I've got my work cut out for my before this gets released to the big bad world. This is my first PHP project. I wanted something totally custom, so I just learned whatever I could. Joomla wasn't going to do it for me. Do you know of any great sites that are security specific?

Wow, really? Did you hide it in the xxx@xxx.xxx format? I go look at database.

Ah, crap. I just realized I didn't set up PHP's mail function when I changed servers. Is that relatively easy to do? I'm going to go google it now.