source

August 16, 2007

http://www.mp3crib.com/mymusic_upload.php?user=%22%3E%3Cmarquee%3Eownd&uid=759&dir=131-lol-bc49eb

also you can xss the uid field:

http://www.mp3crib.com/mymusic_upload.php?user=%22%3E%3Cmarquee%3Eownd&uid=%3Cscript%3Ealert(1);%3C/script%3E

August 3, 2007

i'll tell you... dis-allowing registeration if they have registered from that IP previously is dumb. people have ips that change and other people use them... etc...

and besides my sister/brother may want to play

July 31, 2007

you dont need to strip just < and > because I'm sure you can bypass that.... (depending on how it's parsed afaik)

and just use strip tags...

July 30, 2007

i register a nick with html code.

I create page with html code.

disabling javascript for making a page w/ price == creates page with code as price (I think that's what happned0

July 25, 2007

yeah,,

and just what I meant was I was able to get it to spit out HTML code on the page.

July 25, 2007

I just got a vector.

Not sure I think I made a page, went to edit it, and then changed the edit page to "><marquee>ownd...

it spit out some html code..

after I clicked submit

http://www.fast.st/zapwiki/demo/index.php?p=code.skin

wow. I just realized... you allowed us to edit the skin of every user and page????

July 23, 2007

good job on the forums.

2 things I noticed.

1) when you view the members page you notice that there are two members name testuser...

2) I can not register it says "passwords" do not match and they do

July 23, 2007

php man I didn't call it hacking. I told you what I found.

July 22, 2007

http://www.fast.st/zapwiki/demo/index.php?p=%22%3E%3Cmarquee%3Eownd&action=source

creating a page with code works.

http://www.fast.st/zapwiki/demo/index.php?p=%22%3E%3Cmarquee%3Eownd

July 22, 2007

AH sorry man I forgot since it was soo long...

And ok about the URL tho I find that very annoying. (just an opinion)

July 21, 2007

re-read my post... I said "when registering"

and uhm... not to start flame war but what does learning php have to do with javascript?

It's completly unfiltered input (the email when I view the source of the page of my profile.)

July 21, 2007

use javascript to check shit == dumb...

on register I was able to register with my email as <script>alert(1);</scritpt> etc. and <marquee>ownd.

July 21, 2007

http://www.sentry.dreamhosters.com/index.php?action=posts&forum=1&id=%22%3E

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE topic_id='\">'' at line 1

July 20, 2007

http://www.fast.st/zapwiki/welcome/index.php?p=solutions.tips

xss vuln when submitting a tip

and having the url the same the whole time is rather annoying and does nothing to stop attacks on your site.

logging out does not work.

July 20, 2007

uhm how can we test anything if we keep getting permission denied to even make a page.?

July 19, 2007

no?

I'm getting a fatal error message and need to make a new account.

July 19, 2007

yeah I know/knew but I had *nothing else to do...

but today atleast there was a couple sites to look at.

July 19, 2007

http://www.babble-net.com/?action=ViewBoard&id=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

errors...

and wtf you have some funky crap going on... I go to try and exploite it and I get some weird ass error and can not look @ forums anymore, unless I make a new account

http://www.babble-net.com/?action=ViewThread&id=48&pid=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

1) xss

2) uhm wtf is up with your sql ?

http://www.babble-net.com/?action=ViewThread&id=48&pid=1973638458

(notice: I posted it as a blank user... hmm.. lemme try changing name to admin)

start using sessions for *EVERYTHING*... I change my cookie (get some error) and lawl @ it because it doesnt do anything...