My new Blog Site, need feedback on how secure...Be gentle.

[dvdflashbacks]

I put this simple blog site together using JPMaster77's Login system and some other tweaks and addons.

 

I am trying to find out what else there may be to fix that I have not thought of yet.  If someone is able to hack into it....please be gentle...I already have bad hemorrhoids and don't need a full fistf*** lol

 

http://www.nothingaboutnothing.com

 

Thanks.

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when adding comments.

 

Full Path Disclosure:

http://www.nothingaboutnothing.com/archive.php?id=a

Warning: mysql_free_result(): 14 is not a valid MySQL result resource in /home/dvdflas1/public_html/nothingaboutnothing/archive.php on line 212

 

http://www.nothingaboutnothing.com/admin/CaptchaSecurityImages.php?width[]

Fatal error: Unsupported operand types in /home/dvdflas1/public_html/nothingaboutnothing/admin/CaptchaSecurityImages.php on line 52

[dvdflashbacks]

Big thanks to Coreye for all his help this weekend with my site! 

[darkfreaks]

Vulnerability description

This page was found as link but is inaccessible.

This vulnerability affects /archive.php.

The impact of this vulnerability

Problems navigating the site.

Attack details

No details are available.

 

How to fix this vulnerability

Remove the links to this file or make this available.

 

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures.

 

Affected mod_ssl versions (up to 2.8.17).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

 

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A format string vulnerability has been found in mod_ssl versions older than 2.8.19. Successful exploitation of this issue will most likely allow an attacker to execute arbitrary code on the affected computer.

 

Affected mod_ssl versions (up to 2.8.18).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version

 

 

 

 

[darkfreaks]

also you have tons of the following exploit(s):

 

User credentials are sent in clear text:

 

How to fix this vulnerability

Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection.

 

 

Password type input with autocomplete :

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">