ababmxking Posted July 8, 2008 Share Posted July 8, 2008 Me and my friend are building a text based drag racing game. We are still building it but I would like some beta testing on the stuff we have up now. We had some problems with hacking (hacking users but not the cpanel.) but i think we got that worked out. Theres already quite a bit of features that are up right now but theres still 15 or so more that are going to be added. We are also working on a paypal donation. Once you pay you get credits to get extra stuff. That should be up within a couple days. If you don't understand the game please say so and i will explain it, since we dont have any kind of instructions on how to play the game since its still in beta mode we dont want to have to keep going back and changing it. Thanks, Carl Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/ Share on other sites More sharing options...
darkfreaks Posted July 8, 2008 Share Posted July 8, 2008 Please provide a link so we can test for exploits thanks Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584875 Share on other sites More sharing options...
ababmxking Posted July 8, 2008 Author Share Posted July 8, 2008 o ya. guess you would need that huh. Click Here Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584877 Share on other sites More sharing options...
darkfreaks Posted July 8, 2008 Share Posted July 8, 2008 No Cross Site Scripting Exploits make sure you clean your variables with mysql_real_escape_string(),trim(),strip_tags() to prevent MYSQL Injection Exlpoits Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584880 Share on other sites More sharing options...
ababmxking Posted July 8, 2008 Author Share Posted July 8, 2008 all of my variables or just the ones that have to deal with $_POST or $_GET? I use strip_tags and mysql_real_escape_string on the $_POST for the login, i need to do the same for register. On all the others i have atleast strip_tags Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584888 Share on other sites More sharing options...
darkfreaks Posted July 8, 2008 Share Posted July 8, 2008 both i guess. the scanner would have told me if it found anything anyhow yeah make sure you have those and your all set Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584889 Share on other sites More sharing options...
ababmxking Posted July 8, 2008 Author Share Posted July 8, 2008 ok thanks! Now i just need to find somebody to go through the whole site and find the little bugs with the script. Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584890 Share on other sites More sharing options...
darkfreaks Posted July 8, 2008 Share Posted July 8, 2008 also make sure to put strip_tags on register haha i just signed up using php syntax. and also verify the email with preg_match. you can google for tutorials on email verification Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584891 Share on other sites More sharing options...
ababmxking Posted July 8, 2008 Author Share Posted July 8, 2008 Using preg_match do i have to make something to see if it as a @ and . in it? Im guessing it doesnt already do that. also i know how to make a email verification by sending a verification number through e-mail. Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584893 Share on other sites More sharing options...
darkfreaks Posted July 8, 2008 Share Posted July 8, 2008 nah im talking about to check if it has an @ Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584895 Share on other sites More sharing options...
ababmxking Posted July 8, 2008 Author Share Posted July 8, 2008 aww ill have to search up on some then. But my register had strip_tags and mysql_real_escape_string in it, so it would still let you register but you probally wouldnt know your username if you didnt know php very well. and i added trim to it as well. Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584896 Share on other sites More sharing options...
Coreye Posted July 9, 2008 Share Posted July 9, 2008 Full Path Disclosure: http://www.racing-generation.com/other/rankbar.php Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/rankbar.php on line 3 Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/rankbar.php on line 3 Warning: main() [function.include]: Failed opening 'other/db_connect.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/racingg/public_html/other/rankbar.php on line 3 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/rankbar.php on line 6 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/rankbar.php on line 6 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/rankbar.php on line 7 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/rankbar.php on line 9 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/rankbar.php on line 9 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/rankbar.php on line 10 Fatal error: Call to undefined function: makecomma() in /home/racingg/public_html/other/rankbar.php on line 18 Full Path Disclosure: http://www.racing-generation.com/other/require.php Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require.php on line 3 Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require.php on line 3 Warning: main() [function.include]: Failed opening 'other/db_connect.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/racingg/public_html/other/require.php on line 3 Warning: main(other/logincheck.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require.php on line 4 Warning: main(other/logincheck.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require.php on line 4 Warning: main() [function.include]: Failed opening 'other/logincheck.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/racingg/public_html/other/require.php on line 4 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 12 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 12 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require.php on line 13 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 16 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 16 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 17 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 17 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 37 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 37 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require.php on line 38 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 41 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 41 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require.php on line 42 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 95 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 95 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 110 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 110 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require.php on line 111 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 218 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 218 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require.php on line 267 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require.php on line 267 Full Path Disclosure: http://www.racing-generation.com/other/require1.php Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require1.php on line 3 Warning: main(other/db_connect.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require1.php on line 3 Warning: main() [function.include]: Failed opening 'other/db_connect.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/racingg/public_html/other/require1.php on line 3 Warning: main(other/logincheck.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require1.php on line 4 Warning: main(other/logincheck.php) [function.main]: failed to open stream: No such file or directory in /home/racingg/public_html/other/require1.php on line 4 Warning: main() [function.include]: Failed opening 'other/logincheck.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/racingg/public_html/other/require1.php on line 4 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 14 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 14 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require1.php on line 15 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 18 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 18 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 19 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 19 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 34 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 34 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require1.php on line 35 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 38 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 38 Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require1.php on line 39 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 90 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 90 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 105 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 105 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/racingg/public_html/other/require1.php on line 106 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 213 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 213 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/racingg/public_html/other/require1.php on line 262 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/racingg/public_html/other/require1.php on line 262 Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-584976 Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Vulnerability description Password type input named vpass from unnamed form with action newreg.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. This vulnerability affects /newreg.php (POST user=&pass=&vpass=&email=&vmail=&referral_id=&submit=Register). The impact of this vulnerability Possible sensitive information disclosure Attack details No details are available. View HTTP headers Request POST /newreg.php HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Content-Length: 61 Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/newreg.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:16 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Vulnerability description Password type input named pass from unnamed form with action index.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. This vulnerability affects /index.php. The impact of this vulnerability Possible sensitive information disclosure Attack details No details are available. View HTTP headers Request GET /index.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/newreg.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:16 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Vulnerability description Password type input named pass from unnamed form with action newreg.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. This vulnerability affects /newreg.php. The impact of this vulnerability Possible sensitive information disclosure Attack details No details are available. View HTTP headers Request GET /newreg.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Password type input with autocomplete enabled Vulnerability description Password type input named vpass from unnamed form with action newreg.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. This vulnerability affects /newreg.php. The impact of this vulnerability Possible sensitive information disclosure Attack details No details are available. View HTTP headers Request GET /newreg.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Vulnerability description Password type input named pass from unnamed form with action POST username=&pass=&submit=Submit has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. This vulnerability affects / (POST username=&pass=&submit=Submit). The impact of this vulnerability Possible sensitive information disclosure Attack details No details are available. View HTTP headers Request POST // HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Content-Length: 29 Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Vulnerability description It seemes that user credentials are sent to / in clear text. This vulnerability affects /. The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Attack details No details are available. View HTTP headers Request GET / HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Connection: Close Pragma: no-cache Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:14 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Set-Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. User credentials are sent in clear text Vulnerability description It seemes that user credentials are sent to / in clear text. This vulnerability affects / (POST username=&pass=&submit=Submit). The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Attack details No details are available. View HTTP headers Request POST // HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Content-Length: 29 Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. User credentials are sent in clear text Vulnerability description It seemes that user credentials are sent to /newreg.php in clear text. This vulnerability affects /newreg.php. The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Attack details No details are available. View HTTP headers Request GET /newreg.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. User credentials are sent in clear text Vulnerability description It seemes that user credentials are sent to /newreg.php in clear text. This vulnerability affects /newreg.php (POST user=&pass=&vpass=&email=&vmail=&referral_id=&submit=Register). The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Attack details No details are available. View HTTP headers Request POST /newreg.php HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Content-Length: 61 Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/newreg.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:16 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. User credentials are sent in clear text Vulnerability description It seemes that user credentials are sent to /index.php in clear text. This vulnerability affects /index.php. The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Attack details No details are available. View HTTP headers Request GET /index.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/newreg.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 200 OK Date: Wed, 09 Jul 2008 03:31:16 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b X-Powered-By: PHP/4.4.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /lost.php. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /lost.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/ Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:15 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /tos.php. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /tos.php HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/newreg.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:16 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /other/other/style.css. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /other/other/style.css HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/other/require.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:23 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /other/function.include. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /other/function.include HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/other/rankbar.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:23 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /other/function.main. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /other/function.main HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/other/rankbar.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:23 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /other/function.mysql-query. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /other/function.mysql-query HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/other/rankbar.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:23 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Broken links Vulnerability description This page was found as link but is inaccessible. This vulnerability affects /other/other/newstyle.css. The impact of this vulnerability Problems navigating the site. Attack details No details are available. View HTTP headers Request GET /other/other/newstyle.css HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.racing-generation.com Cookie: PHPSESSID=ce7020e8df0eb05654337b6a99c2c3b0 Connection: Close Pragma: no-cache Referer: http://www.racing-generation.com:80/other/require.php Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htmResponse HTTP/1.1 404 Not Found Date: Wed, 09 Jul 2008 03:31:23 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b Connection: close Content-Type: text/html X-Pad: avoid browser bug View HTML response Launch the attack with HTTP Editor How to fix this vulnerability Remove the links to this file or make this available. Link to comment https://forums.phpfreaks.com/topic/113819-text-based-game-if-hacked-non-destructive-please/#findComment-585031 Share on other sites More sharing options...
Recommended Posts