sam06 Posted August 10, 2008 Share Posted August 10, 2008 If you have a couple of minutes, please could you test out my site for the UK, called the UK Inside Knowledge Guide, designed for people who live in the UK to check out people's opinions of other towns. http://www.ukikg.co.nr Maybe if you live in the UK, or have visited, try adding a town/comments on UKIKG and see if the coding works. Cheers, Sam Link to comment Share on other sites More sharing options...
dlate Posted August 10, 2008 Share Posted August 10, 2008 Vulnerability description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Affected items /insideknowledge/addtown.php The impact of this vulnerability Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. How to fix this vulnerability Your script should filter metacharacters from user input. addatown could modify the html of the page to attack a user, pretty serious threat. Vulnerability description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Affected items /insideknowledge/addacomment.php /insideknowledge/view.php I also get a mysql error with fullpath when accessing view.php and addacomment.php. Link to comment Share on other sites More sharing options...
Coreye Posted August 11, 2008 Share Posted August 11, 2008 Full Path Disclosure: http://www.sam06.tfcph.com/insideknowledge/view.php Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 2 in /home/sam06/public_html/insideknowledge/view.php on line 8 Full Path Disclosure: http://sam06.tfcph.com/insideknowledge/addacomment.php Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 2 in /home/sam06/public_html/insideknowledge/addacomment.php on line 20 Link to comment Share on other sites More sharing options...
sam06 Posted August 11, 2008 Author Share Posted August 11, 2008 They need to have a 'town=9' after it, there are no links to view.php just. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 11, 2008 Share Posted August 11, 2008 Apache 2.x version older than 2.0.55 This alert was generated using only banner information. It may be a false positive. Multiple vulnerabilities have been found in this version of Apache. You should upgrade to the latest version of Apache. Affected Apache versions (up to 2.0.55). The impact of this vulnerability Multiple. Check references for details about every vulnerability. Attack details Current version is Apache/2.0.52 How to fix this vulnerability Upgrade Apache 2.x to the latest version. PHP multiple vulnerabilities This alert was generated using only banner information. It may be a false positive. Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Affected PHP versions (up to 4.3.9/5.0.2). This vulnerability affects PHP. The impact of this vulnerability Possible local and remote execution of arbitrary code. Check references for more information. Attack details Current version is PHP/4.3.9 How to fix this vulnerability Upgrade PHP to the latest version. Phorum v.5.1.18 (admin.php) Cross-Site Scripting Data passed to the admin.php URL isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the user is running a browser that does not URL-encode the request (e.g. Internet Explorer). Confirmed in version v.5.1.18. Other versions may also be affected. This vulnerability affects /admin.php. The impact of this vulnerability This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. How to fix this vulnerability Edit the source code to ensure that input is properly sanitised Directories with write permissions enabled Web Scanner was able to create a test file in this directory. The name of the file created is Web_Scanner_Test_File.txt. You should remove this file after setting proper permissions. This vulnerability affects /. The impact of this vulnerability Unauthenticated users can create files on this directory. How to fix this vulnerability Verify directory permissions and check if write access is required. TRACE Method Enabled HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACE Method on the web server. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 11, 2008 Share Posted August 11, 2008 TRACK Method Enabled HTTP TRACK method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACK method. Additionally, IIS 5 does not log requests made with TRACK method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACK functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACK Method on the web server GHDB: DCForum password file The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing passwords DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =) This vulnerability affects /auth_user_file.txt. The impact of this vulnerability Not available. Check description. Attack details We found allinurl:auth_user_file.txt GHDB: PHP configuration file (php.ini) Vulnerability description The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing juicy info The php.ini file contains all the configuration for how PHP is parsed on a server. It can contain default database usernames, passwords, hostnames, IP addresses, ports, initialization of global variables and other information. Since it is found by default in /etc, you might be able to find a lot more unrelated information in the same directory. This vulnerability affects /php.ini. The impact of this vulnerability Not available. Check description. Attack details We found inurl:php.ini filetype:ini GHDB: Possible sensitive Access forum database The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing juicy info Microsoft Access databases containing 'forum' information .. This vulnerability affects /wwForum.mdb. The impact of this vulnerability Not available. Check description. Attack details We found inurl:forum filetype:mdb GHDB: Web Wiz Forum database The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing passwords Web Wiz Forums is a free ASP Bulletin Board software package. It uses a Microsoft Access database for storage. The installation instructions clearly indicate to change the default path and filename (admin/database/wwForum.mdb). vendor: http://www.webwizguide.info/web_wiz_forums/ The forum database contains the members passwords, either encrypted or in plain text, depending on the version. Please note: this search is proof that results can stay in Google's index for a long time, even when they are not on the site any longer. Currently only 2 out of 9 are actually still downloadable by an attacker. This vulnerability affects /wwForum.mdb. The impact of this vulnerability Not available. Check description. Attack details We found filetype:mdb wwforum Link to comment Share on other sites More sharing options...
Coreye Posted August 12, 2008 Share Posted August 12, 2008 They need to have a 'town=9' after it, there are no links to view.php just. That's the point. By injecting unexpected data into a parameter it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. Link to comment Share on other sites More sharing options...
Recommended Posts