[Hack my site(or try)!]

i would have to rescan but on your server go into the php.ini file and turn HTTP_TRACE method off like third said this is dangerous

 

 

I check my php.ini file and didn't see a http trace. closest I saw was mysql trace

[Hack my site(or try)!]

File Input Accepted

 

 

The impact of this vulnerability

User may upload malicious files to server.

How to fix this vulnerability

Check if the script inputs are properly validated from uploading .exe/.js and .php extensions

 

 

can you tell me where file input was accepted? or do you mean that there was a folder found with permissions that allow an upload?

[Multiple (sql inserts)]

You can insert multiple records using this syntax (faster than multiple single inserts)

INSERT INTO table (x, y, z) 
VALUES
($a, $b, $c),
($d, $e, $f),
($g, $h, $i),
($j, $k, $l)

 

whooooooooooooooooooooooooaaa!! are you serious?? thats awesome!!

[Hack my site(or try)!]

^ haha, well someone out there has voted a few thousand times.

 

 

And can someone tell me how they're masking their ip? In my ip-tracking column, sometimes there's "<script>blahblah</script>" among other interesting stuff, but it's a field that the user had no control of(atleast I thought)

[Hack my site(or try)!]

^ oh lol gotcha. I guess you weren't the one who was doing the mass votes. I have the results appearing now, I just need to make it look nice possibly with bars, or atleast aligning them evenly

[Hack my site(or try)!]

1.Ok I said earlier that it's not that big of a deal on this site, but is for others.

 

2.In my first post in this thread I said stop the cross site scripting...so yeah...

 

3.You said 'allowed javascript'...

 

4.htmlentities with the ENT_QUOTES parameter stops cross site scripting with no loss of user input when displayed as text. Period.

 

But like I said, I don't want to argue with you, just want to give the OP another option.

 

I went ahead and did the ENT_QUOTES parameter for my htmlentities function. thank you for it, I wasn't aware of it.

[Hack my site(or try)!]

what? no seriously the poll dissappears after you vote

 

Lol I know. but I figured if you were the one doing a few thousand votes, that you'd wanna see the results reflect that 

[Hack my site(or try)!]

Also just a suggestion but the poll goes away after voting is there a way you could display the results?

 

 

Haha and I just caught why you want me to do it... you wanna see the damage you've caused 

[Hack my site(or try)!]

danny are you using strip_tags on calendar.php?  because my scanner is still picking up cross site scripting on it.

 

to be more specific you can inject javascript into the year variable

 

Also just a suggestion but the poll goes away after voting is there a way you could display the results?

 

I did htmlentities bc I thought that by doing it, it erased any chance of using js/html. Do I need to use both?

 

And I know what you mean about displaying results... that's been me being lazy. I'll get to it by tomorrow night

[Hack my site(or try)!]

Full path disclosure: Fatal error: Call to undefined function html_entities() in /home2/xausfco/public_html/calendar.php on line 9

Also, not really a hack, but can you try to correct the javascript so it's unobtrusive? The slideshows don't work without JS. Try using an image in noscript tags.

 

----------------

Now playing: Rage Against The Machine - Tire Me

via FoxyTunes

 

Thank you for catching those 2! I got them both fixed. Very helpful

[Hack my site(or try)!]

^ That was actually done by them. each page is custom edit-able by them so they can choose to put whatever they want. I can only suggest they not do it, but I cant change it

[Hack my site(or try)!]

Ok so I got that done... awesome...

 

not what would be the best way to prevent a visitor from submitting the form a million times, whether by clicking refresh or with a script. Thru sessions? or something else

[please check my site's vulnerabilities... :)]

I understand your suggestion about validation, but at the moment, I have it setup so my client can create the form themself(my system does most of the work for them) so they basically just create the field title and if it's required or not. But it's all just submitted to a database for my client to read and look over so validation isn't required, but more just suggested. So I use simple js to validate a blank field bc the typical user who is filling out the form isn't going to try and hack around it to keep the field blank.

[Hack my site(or try)!]

 

He is just taking keys like H A C and K, and alerting them on the screen.

 

alert('h');

alert('a');

alert('c');

alert('k');

 

This isn't a hack, just to test if its XSS proof, which it obviously isnt.

 

Use stip_tags, or htmlentities();

 

Would just htmlentities do the job? I read somewhere that strip_tags doesnt completely remove all possible malicious input

[Hack my site(or try)!]

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS!

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

 

would adding htmlentities help this problem? I'm scared to run the script to see what it does!

[please check my site's vulnerabilities... :)]

There is very little validation in the 'contact' form, <> tags, etc...

 

I'd suggest sanatizing the input for those fields a little more.

 

I can't find any other noticeable security flaws, but I tested it without software.

 

 

do you mean js validation? Or server-side filtering? And how can you tell because once something is submitted, it's never repeated back to the user nor made public

[Hack my site(or try)!]

I don't like that kind of website designs

 

I know what you're saying. It has its place on some pages, depending on the company's theme. This one is a college group and the director told me he wanted something 'rough-around-the-edges'.

[please check my site's vulnerabilities... :)]

Hello all, this is a client of mine's page. The only parts that even allow user input are on the contacts page(typing info to be emailed), the polls that you vote on, and the search field. So there shouldn't be any main security vulnerability, however there is a behind-the-scenes area to log into and edit things so I suppose just make a sure someone couldn't accidently stumble into it(it requires the user to be logged in even if they did know the address of the page).

 

http://www.xausf.com

[[SOLVED] Myspace type solution]

nevermind I figured it out

 

using $sql="SELECT * from `users` WHERE `username`='".$_GET['username']."'";

 

Thanks alot guys!

 

sorry, had I been to the site earlier, I would've expound on my post by explaining what you figured out. But I feel it's better that you figured it out since we won't be here all the time.. I learned by hours of troubleshooting

[[SOLVED] function not working...simple]

Yea, I didn't realize that you'd have a different value in each input field. I thought you'd have ("Name") in every input but then I realized you'd have a different value like "Phone" and whatnot

[[SOLVED] function not working...simple]

I'm not sure if that first name was a joke or not but a quick typo I noticed:

 

if(document.getElementById('urnmae').value=='')
	{
		alert('You must enter a name!');
		document.getElementById('urname').focus();
	}

 

first line has urnmae and the 4th is urname

 

 

but regardless, it's not going to work because you're calling a string into the function and it's not gonna do what you need. You need to replace "Name" with 'this.value'(without the single quotes) and make sure there are no quotes in the function in the input field

[Hack my site(or try)!]

 

 

You should learn to read what forums are what. This should be in testing not in critiquing. You don't want people trying to hack your site... It's just going to get defaced like that....

 

Beta Test Your Stuff!

Post a link to your work with inputs and expected outputs for people to test.

 

A mod can move it if it's a problem.

[Could somebody give me feedback?]

IN THE META TAGS: why bother using the keywords metatag when google don't even use, capitalists, you suck for reading my source

 

that made me lol

[Hack my site(or try)!]

It's the way the template is setup. It's a separate image, so you need to hover for about 2 seconds. I need a way to preload the hover images so that this doesn't happen. I havent tried anything yet, but I think maybe just loading them and giving them a position of like position:absolute; top: -1000px. You think that'd do it?

[[SOLVED] delete (or replace with "") a line in a text file if has exactly two '\" c]

I don't have(or know) the exact code, but it should be something like this:

 

-read file A line by line

-write each line to file B, as long as it's not blank(or long as it's not whatever line you want to not be printed), so you'd do a conditional[ if($data != "whatever") fprintf(something); ] or something to that effect. Look up fopen, fprintf, and similar functions, then you'll gert an idea of how to write the code for it.

 

 

that's pretty much it.