owner Posted July 29, 2008 Share Posted July 29, 2008 Hello, I have been working on my little cms site for awhile, and need to get this thing stable. Would anyone mind beta testing this, and also testing this for security? http://www.unfriedchicken.com/backend Admin Panel: http://www.unfriedchicken.com/backend/admin Username: Admin Password: admin123 Thanks a million and please post your ideas, -Owner P.S. The skin isn't totally done. Just is very dark as it is easy to work on at night lol Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/ Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /cgi-bin. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /cache. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /ips_kernel. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /modules. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /sources. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /uploads. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Files listed in robots.txt but not linked Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /upgrade. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603158 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 GHDB: robots.txt with Disallow tag Vulnerability description The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing juicy info The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where NOT to look, for whatever reason. Hackers will always go to those places first! This vulnerability affects /robots.txt. The impact of this vulnerability Not available. Check description. Attack details We found "robots.txt" "Disallow:" filetype:txt How to fix this vulnerability Not available. Check description GHDB: robots.txt file Vulnerability description The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing juicy info Webmasters wanting to exclude search engine robots from certain parts of their site often choose the use of a robot.txt file on the root of the server. This file basicly tells the bot which directories are supposed to be off-limits. An attacker can easily obtain that information by very simply opening that plain text file in his browser. Webmasters should *never* rely on this for real security issues. Google helps the attacker by allowing a search for the "disallow" keyword. This vulnerability affects /robots.txt. The impact of this vulnerability Not available. Check description. Attack details We found (inurl:"robot.txt" | inurl:"robots.txt" ) intext:disallow filetype:txt How to fix this vulnerability Not available. Check description. Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603163 Share on other sites More sharing options...
owner Posted July 29, 2008 Author Share Posted July 29, 2008 Crazy, I don't even have a robots.txt file in my directory for the backend directory (which is the directory for my project). What tool do you use to generate these logs? Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603165 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 also you may want to make sure directories are not writable otherwise visitors could upload anything onto the server using write methods like HTTP_TRACE and HTTP_TRACK which needs to be disabled on the server also you do have a link to robots.txt http://www.unfriedchicken.com/robots.txt Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603169 Share on other sites More sharing options...
owner Posted July 29, 2008 Author Share Posted July 29, 2008 yea, however that isn't what I wanted. I just want the backend directory scanned as that is where my project is currently at. Also, I chmodded all folders to 755. Anything else? Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603174 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 the script is good however people can still exploit the robot.txt file i would really fix this Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603177 Share on other sites More sharing options...
owner Posted July 29, 2008 Author Share Posted July 29, 2008 Fixed, and your saying that my cms system is somewhat secure?!??! lol Also, what do you use to test sites like this? Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603180 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 Acunetix you can read up on it, its a paid scanner though $6900 Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603181 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 also for further reference a mod_rewrite thru .htaccess would be more secure than .txt Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603184 Share on other sites More sharing options...
owner Posted July 29, 2008 Author Share Posted July 29, 2008 Where do I have this written down in a txt file? My mod_rewrite is put in my .htaccess file. Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603187 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 well whatever you did it is not picking up robots.txt anymore on the front end. completely secured Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603188 Share on other sites More sharing options...
owner Posted July 29, 2008 Author Share Posted July 29, 2008 Crazy, can you make the scanner just scan http://www.unfriedchicken.com/backend That is what I really want to know the most. Also for a first time shot, I did pretty good lol. This is one of the first webapps I have ever made in php. Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603189 Share on other sites More sharing options...
darkfreaks Posted July 29, 2008 Share Posted July 29, 2008 afraid not. however that is the only thing it found. Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603191 Share on other sites More sharing options...
owner Posted July 30, 2008 Author Share Posted July 30, 2008 Would you mind running it again. I threw everything into the root now, so it should specifically scan my site now Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603206 Share on other sites More sharing options...
darkfreaks Posted July 30, 2008 Share Posted July 30, 2008 nothing Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603216 Share on other sites More sharing options...
owner Posted July 30, 2008 Author Share Posted July 30, 2008 Geeze, I expected to have like 20 security holes lol Have any suggestions on what to add to the site? Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603217 Share on other sites More sharing options...
olie122333 Posted July 30, 2008 Share Posted July 30, 2008 Acunetix you can read up on it, its a paid scanner though $6900 did you pay that ? i got the free version Link to comment https://forums.phpfreaks.com/topic/117252-beta-testvulnerability-test/#findComment-603412 Share on other sites More sharing options...
Recommended Posts