Jump to content

Free subscription for your feedback!

rarebit

By rarebit
in Beta Test Your Stuff!

 Share

Recommended Posts

rarebit Regular Member

rarebit

Posted
Posted

Heyho, i've been a bit quiet lately because i've been doing this bain of my life, but it's getting there, basically it was a simple plan but the devils' in the detail y'know!

 

Anyway i'd appreciate it if everyone could give it a good going over, try anything you want on the site (not master account, that's hosted). Some concerns and partially areas are:

- quoted strings

- img uploads

- chat server hacking

- ways around the membership & subscription

 

There's loads which is unfinished, e.g. text and graphics, so don't expect emails to read well yet. Poll has no images, captcha fonts can be confusing (u,v), quotes are still everywhere, no stickies posted in forums and the dating section needs loads of additional work and re-styling, internal messaging might be sketchy and hackable? Any constructive criticism is welcomed.

 

So, you won't be prompted for payment details at subscription use the following code with the 6 month option, it'll give you 6 months for free:

FREE_FREAK_6

 

 

I've loads of streamlining to do, e.g. caching and sorting some sql etc, but i'll be releasing the source for the main part soon, but you can find the old versions somewhere here, known as 'cms.monkies', but it's old and bad...

 

Anyway, cheers for now!

Have fun!

 

Rob

Link to comment
https://forums.phpfreaks.com/topic/114400-free-subscription-for-your-feedback/
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

Password type input with autocomplete enabled

Impact of Exploit:

 

Possible Information Disclosure

How to fix:

 

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

 

 

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACE Method on the web server.

 

 

Vulnerability description

HTTP TRACK method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACK method. Additionally, IIS 5 does not log requests made with TRACK method.

This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACK functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACK Method on the web server

 

Also your mod_ssl is out of date please upgrade to a version higher than 2.8.18 ;)

 

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

wasnt me my scanner only scans for shit remotely without effecting the server :P

 

 

Vulnerability description

A possible backup file has been found on your webserver. These files are usually created by developers to backup their work.

 

The impact of this vulnerability

Backup files can contain script sources, configuration files or other sensitive information that may help an malicious user to prepare more advanced attacks.

 

How to fix this vulnerability

Remove the file(s) if they are not required on your website. As an additional step, it is recommended to implement a security policy within your organization to disallow creation of backup files in directories accessible from the web.

 

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

A possible sensitive file has been found. This file is not directly linked from the website. This check looks for known sensitive files like: password files, configuration files, log files, include files, statistics data, database dumps. Each of those files may help an attacker to learn more about his target.

The impact of this vulnerability

This file may expose sensitive information that may help an malicious user to prepare more advanced attacks.

 

How to fix this vulnerability

Restrict access to this file or remove it from the website.

Affected Files:

pass.txt/password.txt/users.ini/users.txt/passwd.txt/admin.pw/admin.conf/dirs.txt/admin.txt/admin.html/admin.cfg/

 

Vulnerability description

This script is vulnerable to PHPSESSID session fixation attacks.

 

By injecting a custom PHPSESSID is possible to alter the PHP session cookie. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.

This vulnerability affects /.

The impact of this vulnerability

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

How to fix this vulnerability

Set session.use_only_cookies = 1 from php.ini. This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs; defaults to 0.

Directories with write permissions enabled

The impact of this vulnerability

Unauthenticated users can create files on this directory.

How to fix this vulnerability

Verify directory permissions and check if write access is required.

 

 

 

rarebit Regular Member

rarebit

Posted
  • Author
Posted

I was going to say none of these exist...

pass.txt/password.txt/users.ini/users.txt/passwd.txt/admin.pw/admin.conf/dirs.txt/admin.txt/admin.html/admin.cfg/

but it actually points out a vulnerability, admin.html, it doesn't exist but it serves up the f' page! WOW !!! Have done a quick fix but i'll have to design some more tests along that path...

 

 

 

I will re-check dirs...

 

 

 

I don't use PHPSESSID anywhere, I do it like this:

try
{
	if ( !@ ( $sess['sess_id'] = session_id() ) )
		throw new Exception ("oh no!");
}
catch (Exception $e)
{
	session_destroy();
	session_start();

	$sess['sess_id'] = session_id();
}

 

but W3C validation has thrown an error saying that i've used 'uid' in a GET statement, which will be sorted by 2m...

 

merci...

 

Hearts beating from that admin scare!  :o

rarebit Regular Member

rarebit

Posted
  • Author
Posted

another host issue...

 

but I might have a way to handle it, I do some extra checks later (I don't relay on session variables) so you could get logged in (but there is a small forgotten (but seen) hole...

$s = "SELECT * FROM ".$tn." where sess_hash = '".$sess['hash']."' && active = 1";

but thats up for review...

 

merci

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Tips:

Session IDs in URL (and hijacking) - if you’re using session IDs in the URL (as opposed to a session cookie), make sure offsite links do not contain the session ID (or the remote site will be able to hijack) - PHP should take care of this. Also your visitors may give away the session ID in the referrer field - ideally pass off site links through a redirect page, to elimate the referrer (although, unfortunately, some browsers keep the last 3 pages viewed I believe - unsure of facts).

 

Ideally, don’t pass session ids in the URL - require users to accept a cookie if they need to “log in”.

Session Fixation (pre-hijacking) (see http://www.acros.si/papers/session_fixation.pdf).

 

If you assign a session to a visitor to your site, before they are logged in (for example for clickpath analysis), make sure that you assign them a new session id when they do login, so that if someone pre-generated the initial session id for them, they won’t get the new ID.

 

For PHP 4.2.0+, see session_regenerate_id() (in particular the user submitted comments). For PHP < 4.2.0, you'll have to destroy the session and re-create it when the user logs in, carrying any stored data between the two. The session_id() function may also be useful (haven’t explored it in this context myself).

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

CVS (Concurrent Versions System) files have been found on this directory. The CVS directory is a special directory. CVS/Entries lists files and subdirectories registered into the server. CVS/Repository contains the path to the corresponding directory in the repository. CVS/Root contains the path to the repository.

 

The impact of this vulnerability

These files may expose sensitive information that may help an malicious user to prepare more advanced attacks.

How to fix this vulnerability

Remove the files from production systems.

 

 

rarebit Regular Member

rarebit

Posted
  • Author
Posted

No CVS here, was talking about needing to get around to setting up subversion yesterday...

 

No sess id in any urls, but as before 'uid=*' is passed in some places, will be gone by 2m... (not actually sess, but is user, generally in non sensitive areas and checked within (at least one will of got by me (lazy, lazy)))

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found.

This vulnerability affects /site/help.

The impact of this vulnerability

Email addresses posted on Web sites may attract spam.

 

Attack details

We found

admin@lovemap.co.uk

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.