947740 Posted May 20, 2008 Share Posted May 20, 2008 I made this site with my awesome knowledge of PHP and MySQL, and I was hoping you could take a look at it. The address: http://fmbaseballstats.djpic.net To login: Username: John Doe Password: password Please just mess around with the stats and stuff and let me know what you think. Also let me know if you find any security issues. (I know there are some that can be easily fixed, I have just not got around to that yet...) Link to comment Share on other sites More sharing options...
Coreye Posted May 20, 2008 Share Posted May 20, 2008 Cross site Scripting(XSS): You can submit ">code in the players names. SQL Error: When adding " to the players names. ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'C","N","N")' at line 1 SQL Error: When adding " to the stats. INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','C',' Corey','"','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','1B','Someone','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','2B',' Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','SS',' Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','3B',' Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','LF',' Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','CF',' Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','3','RF',' Corey','0','0','0','0','0','0','0','0','0') 1 Link to comment Share on other sites More sharing options...
947740 Posted May 20, 2008 Author Share Posted May 20, 2008 Thanks for making Corey go across the screen! I did not make that kind of stuff safe because only administrators and coaches can access the page. Except for right now, of course. Thanks for giving it a go. Link to comment Share on other sites More sharing options...
smc Posted May 21, 2008 Share Posted May 21, 2008 When entering " into the username you reveal your SQL and method of encryption ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd41d8cd98f00b204e9800998ecf8427e"' at line 1 Leaving you open to brute forcing / sql injection. If I find more I'll post here. Link to comment Share on other sites More sharing options...
947740 Posted May 21, 2008 Author Share Posted May 21, 2008 All of you should try your little tricks again. I made a few changes that should fix all of those problems... Link to comment Share on other sites More sharing options...
Coreye Posted May 21, 2008 Share Posted May 21, 2008 SQL Error: When adding " to stats. INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','C','Tyler Hetzel','','','','','','0','0','','') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','1B','Someone','','','','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','2B','Corey','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','SS','Tyler Hetzel','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','3B','Tyler Hetzel','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','LF','Tyler Hetzel','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','CF','Tyler Hetzel','0','0','0','0','0','0','0','0','0') INSERT INTO hitting (`team`,`gameid`,`position`,`player`,`ab`,`r`,`h`,`2b`,`3b`,`hr`,`rbi`,`k`,`bb`) VALUES ('V','5','RF','Tyler Hetzel','0','0','0','0','0','0','0','0','0') 1 Link to comment Share on other sites More sharing options...
947740 Posted May 21, 2008 Author Share Posted May 21, 2008 I could have sworn I fixed that... Now I feel kind of stupid. Link to comment Share on other sites More sharing options...
947740 Posted May 21, 2008 Author Share Posted May 21, 2008 I completely forgot, but it is supposed to show those queries. You will notice that most of the ' ' have a 0 in between them, but others do not? The ones without the 0 are the ones you entered an invalid character into, being any symbol. So, it actually did what it was supposed to do. Also, if you look at the first thing you posted, the " is visible between ' '. I had made it show the queries when I was in the development process, and I just forget to change it. Thanks for taking another look at that. Link to comment Share on other sites More sharing options...
Coreye Posted May 21, 2008 Share Posted May 21, 2008 Cross Site Scripting(XSS): You can edit the drop menus when adding a game and submit ">code like I did on http://fmbaseballstats.djpic.net/schedule.php?type=both. If you edit the drop down menus for managing injured players and add \ you get ERROR!You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"\"' at line 1. You can also add more teams other then JV and V. I added C, Co and te. Link to comment Share on other sites More sharing options...
947740 Posted May 22, 2008 Author Share Posted May 22, 2008 How did you edit the drop down menus!? Link to comment Share on other sites More sharing options...
allistera Posted May 22, 2008 Share Posted May 22, 2008 You can easily do it in firefox with the Web Dev extention, and the same in opera with no plugin. Link to comment Share on other sites More sharing options...
947740 Posted May 23, 2008 Author Share Posted May 23, 2008 Wow. I did not know that. Thanks for telling me. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Password type input with autocomplete The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Vulnerability description HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. Attack details No details are available. How to fix this vulnerability Disable TRACE Method on the web server. User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Link to comment Share on other sites More sharing options...
Recommended Posts