dvdflashbacks Posted June 29, 2008 Share Posted June 29, 2008 I put this simple blog site together using JPMaster77's Login system and some other tweaks and addons. I am trying to find out what else there may be to fix that I have not thought of yet. If someone is able to hack into it....please be gentle...I already have bad hemorrhoids and don't need a full fistf*** lol http://www.nothingaboutnothing.com Thanks. Link to comment Share on other sites More sharing options...
Coreye Posted June 29, 2008 Share Posted June 29, 2008 Cross Site Scripting(XSS): You can submit ">code when adding comments. Full Path Disclosure: http://www.nothingaboutnothing.com/archive.php?id=a Warning: mysql_free_result(): 14 is not a valid MySQL result resource in /home/dvdflas1/public_html/nothingaboutnothing/archive.php on line 212 http://www.nothingaboutnothing.com/admin/CaptchaSecurityImages.php?width[] Fatal error: Unsupported operand types in /home/dvdflas1/public_html/nothingaboutnothing/admin/CaptchaSecurityImages.php on line 52 Link to comment Share on other sites More sharing options...
dvdflashbacks Posted June 30, 2008 Author Share Posted June 30, 2008 Big thanks to Coreye for all his help this weekend with my site! Link to comment Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /archive.php. The impact of this vulnerability Problems navigating the site. Attack details No details are available. How to fix this vulnerability Remove the links to this file or make this available. Vulnerability description This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. Attack details Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8 How to fix this vulnerability Upgrade mod_ssl to the latest version. Vulnerability description This alert was generated using only banner information. It may be a false positive. A format string vulnerability has been found in mod_ssl versions older than 2.8.19. Successful exploitation of this issue will most likely allow an attacker to execute arbitrary code on the affected computer. Affected mod_ssl versions (up to 2.8.18). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. Attack details Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8 How to fix this vulnerability Upgrade mod_ssl to the latest version Link to comment Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 also you have tons of the following exploit(s): User credentials are sent in clear text: How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Password type input with autocomplete : How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Link to comment Share on other sites More sharing options...
Recommended Posts