Baseball Stats. Website

May 20, 2008

I made this site with my awesome knowledge of PHP and MySQL, and I was hoping you could take a look at it.

The address:

http://fmbaseballstats.djpic.net

To login:

Username:

John Doe

Password:

password

Please just mess around with the stats and stuff and let me know what you think. Also let me know if you find any security issues. (I know there are some that can be easily fixed, I have just not got around to that yet...)

Coreye · May 20, 2008

Cross site Scripting(XSS):

You can submit ">code in the players names.

SQL Error:

When adding " to the players names.

ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'C","N","N")' at line 1

SQL Error:

When adding " to the stats.

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','C','
Corey','"','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','1B','Someone','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','2B','

Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','SS','

Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','3B','

Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','LF','

Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','CF','

Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','RF','

Corey','0','0','0','0','0','0','0','0','0')

1

May 20, 2008

Thanks for making Corey go across the screen!

I did not make that kind of stuff safe because only administrators and coaches can access the page. Except for right now, of course.

Thanks for giving it a go.

smc · May 21, 2008

When entering " into the username you reveal your SQL and method of encryption

ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd41d8cd98f00b204e9800998ecf8427e"' at line 1

Leaving you open to brute forcing / sql injection. If I find more I'll post here.

May 21, 2008

All of you should try your little tricks again.

I made a few changes that should fix all of those problems...

Coreye · May 21, 2008

SQL Error:

When adding " to stats.

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','C','Tyler Hetzel','','','','','','0','0','','')
INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','1B','Someone','','','','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','2B','Corey','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','SS','Tyler Hetzel','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','3B','Tyler Hetzel','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','LF','Tyler Hetzel','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','CF','Tyler Hetzel','0','0','0','0','0','0','0','0','0')

INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','RF','Tyler Hetzel','0','0','0','0','0','0','0','0','0')

1

May 21, 2008

I could have sworn I fixed that...

Now I feel kind of stupid.

May 21, 2008

I completely forgot, but it is supposed to show those queries. You will notice that most of the ' ' have a 0 in between them, but others do not? The ones without the 0 are the ones you entered an invalid character into, being any symbol.

So, it actually did what it was supposed to do. Also, if you look at the first thing you posted, the " is visible between ' '. I had made it show the queries when I was in the development process, and I just forget to change it.

Thanks for taking another look at that.

Coreye · May 21, 2008

Cross Site Scripting(XSS):

You can edit the drop menus when adding a game and submit ">code like I did on http://fmbaseballstats.djpic.net/schedule.php?type=both.

If you edit the drop down menus for managing injured players and add \ you get

ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"\"' at line 1

.

You can also add more teams other then JV and V. I added C, Co and te.

May 22, 2008

How did you edit the drop down menus!?

allistera · May 22, 2008

You can easily do it in firefox with the Web Dev extention, and the same in opera with no plugin.

May 23, 2008

Wow. I did not know that. Thanks for telling me.

darkfreaks · July 9, 2008

Password type input with autocomplete

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

Vulnerability description

HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

Attack details

No details are available.

How to fix this vulnerability

Disable TRACE Method on the web server.

User credentials are sent in clear text

The impact of this vulnerability

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability

Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection.

Sign In

Baseball Stats. Website

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information