tagmypic

[ShimmyShine]

Okay I have been here once, and got a lot of comments that said they didn't like the template.  I have redone the template, and added some new feature stuff.

 

What the site is for is well complicated and simple at the same time.  My uncle and I have come up with the fact that people are always self-centered (meaning all about themselves) so we thought of a site to take advantage of this.  What a person does is register an account, log in and upload pictures.  Then they try to get as many people to hit their pictures as they possibly can, to be the winner of that month.  We plan on awarding prizes to the winners of the months, they will start of small because we aren't the richest people in the world, but we plan on them getting bigger.  So it is like that, repeated monthly.  We have had the idea to have "Penny Days" where we pick 1-2 days a month where for every hit a person gets, they get a penny.  In order to get payed, you have to have the most hits out of everyone.  We figure it will attract them, and keep them wanting more.

 

How do we plan on paying for it?  Easy, Sponsors.  If the site is always getting hits, then companies should want their name there, getting seen every time a hit occurs.

 

Can I get people to beta test it and find any exploits etc?  (Prizes won't be held out until in September, for the reason that we don't have enough money for prizes yet :\ )..

 

Also some critique wouldn't hurt , unless your saying it to be a jerk then it would be more appreciated if you hold back your comments. Lol

 

Thanks

 

Jeff/Shimmy

[darkfreaks]

link ???

[ShimmyShine]

Woops lmfao.. Sorry

 

http://www.tagmypic.net

 

Shimmy/Jeff

[darkfreaks]

password input type with autocomplete enabled

Vulnerability description

Password type input named pass from unnamed form with action ./process.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache.

This vulnerability affects /.

The impact of this vulnerability

Possible sensitive information disclosure

files affected:

 

archives.php

contact.php

about.php

affiliates.php

index.php

mpinfo.php

news.php

records.php

register.php

search.php

uinfo.php

 

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

 

Vulnerability description

By this form input is possible to upload a file to the server.

This vulnerability affects /mpinfo.php.

The impact of this vulnerability

User may upload malicious files to server.

How to fix this vulnerability

Check if the script inputs are properly validated.

 

[darkfreaks]

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /captcha.php.

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

How to fix this vulnerability

Your script should filter metacharacters from user input.

 

[darkfreaks]

Vulnerability description

This script is vulnerable to PHPSESSID session fixation attacks.

 

By injecting a custom PHPSESSID is possible to alter the PHP session cookie. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.

This vulnerability affects /.

The impact of this vulnerability

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

 

How to fix this vulnerability

Set session.use_only_cookies = 1 from php.ini. This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs; defaults to 0.

 

 

 

[darkfreaks]

Also you might wanna read on spam proofing  your site email wise:

 

http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/

[ShimmyShine]

Thank you darkfreaks!  I have fixed the password issue, but I am not sure how to fix the following after?  Any tips?

 

Thanks

 

Shimmy/Jeff

[darkfreaks]

to fix the XSS issue put strip_tags(), trim() mysql_real_escape_string() to filter your variables on captcha.

 

if you read the article on spam proofing emails it will tell you how to protect against people spamming emails

 

[darkfreaks]

oh those functions wont completely stop xss you need strip_tags as well

[ShimmyShine]

How would I go about stopping the upload of test.php.jpg files?

 

Shimmy/Jeff

[darkfreaks]

<?php
$ext=array('image/png','image/jpg','image/jpeg','image/gif');

if(in_array($ext)) { //upload
}else{ //error
}?>

[ShimmyShine]

Thanks!

 

Shimmy/Jeff

[darkfreaks]

basically you just check for extensions like .gif .jpg .jpeg etc. if its in the array it will be uploaded else it errors and doesnt upload make sense ???

[ShimmyShine]

Well you see, I did exactly that and it still allows test.php.jpg to be uploaded.  Why? I even did to what you said.

 

Shimmy/Jeff

[darkfreaks]

instead of using else lets be more precise

 

<?php

elseif(!in_array($ext)){ //error
}

$notallowed=array('.exe','.php','.js','.vb','.asp');

if(in_array($notallowed && in_array($image_name)){ //error
}

?>

[ShimmyShine]

Still allowing it, heres my whole script:

 

<?php
  $target_path = "uimg/";
  $basenamer = basename($_FILES['uploadedfile']['name']);
  $target_path = $target_path . $basenamer;
  $ext = $_FILES["uploadedfile"]["type"];
  $validexts = array('image/png','image/jpg','image/jpeg','image/gif');
if(in_array($ext,$validexts)){
  if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
      $fname = $_FILES['uploadedfile']['name'];
      $q2 = "INSERT INTO ".TBL_PICS." (`oid`,`file`,`month`,`year`,`hits`,`approve`,`win`,`place`) VALUES ('$user', '$fname', '$month', '$year', '0', '1', '0', '0')";
      $result2 = $database->query($q2);
      if(!$result2) {
        echo $error;
      } else {
        echo $_txt79."\"".basename( $_FILES['uploadedfile']['name'])."\"".$_txt80;
      }
  } else {
      echo $error;
  }
}else if(!in_array($ext,$validexts)){
echo $_txt84;
}?>

 

Shimmy/Jeff

[darkfreaks]

did you try checking for not allowed image names? that contain harmful file extensions in the image name

[ShimmyShine]

No?  I would go about doing that how?

 

Sorry for the questions, never have come across this error before.

 

Thanks

 

Shimmy/Jeff

[darkfreaks]

you would have to array the not allowed  imagename types then check the image name and if  the image name contains any of those arrayed file types such as php js jsp asp vbscript vb to error

[darkfreaks]

in all reality it would be easier to do

 

$basename=basename(strip_tags($_FILES[uploaded_file][name]));

 

 

this would def do the trick