Please test my PHP/MySQL Site

[sam06]

If you have a couple of minutes, please could you test out my site for the UK, called the UK Inside Knowledge Guide, designed for people who live in the UK to check out people's opinions of other towns.

http://www.ukikg.co.nr

 

Maybe if you live in the UK, or have visited, try adding a town/comments on UKIKG

and see if the coding works.

 

Cheers,

Sam

[dlate]

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Affected items

/insideknowledge/addtown.php

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

How to fix this vulnerability

Your script should filter metacharacters from user input.

 

addatown could modify the html of the page to attack a user, pretty serious threat.

 

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Affected items

/insideknowledge/addacomment.php

/insideknowledge/view.php

 

I also get a mysql error with fullpath when accessing view.php and addacomment.php.

[Coreye]

Full Path Disclosure:

http://www.sam06.tfcph.com/insideknowledge/view.php

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 2 in /home/sam06/public_html/insideknowledge/view.php on line 8

 

Full Path Disclosure:

http://sam06.tfcph.com/insideknowledge/addacomment.php

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 2 in /home/sam06/public_html/insideknowledge/addacomment.php on line 20

[sam06]

They need to have a 'town=9' after it, there are no links to view.php just.

[darkfreaks]

Apache 2.x version older than 2.0.55

This alert was generated using only banner information. It may be a false positive.

 

Multiple vulnerabilities have been found in this version of Apache. You should upgrade to the latest version of Apache.

 

Affected Apache versions (up to 2.0.55).

 

 

The impact of this vulnerability

Multiple. Check references for details about every vulnerability.

 

Attack details

Current version is Apache/2.0.52

 

How to fix this vulnerability

Upgrade Apache 2.x to the latest version.

 

PHP multiple vulnerabilities

This alert was generated using only banner information. It may be a false positive.

 

Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

Affected PHP versions (up to 4.3.9/5.0.2).

 

This vulnerability affects PHP.

The impact of this vulnerability

Possible local and remote execution of arbitrary code. Check references for more information.

 

Attack details

Current version is PHP/4.3.9

 

 

How to fix this vulnerability

Upgrade PHP to the latest version.

 

 

Phorum v.5.1.18 (admin.php) Cross-Site Scripting

 

Data passed to the admin.php URL isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

 

Successful exploitation requires that the user is running a browser that does not URL-encode the request (e.g. Internet Explorer).

 

Confirmed in version v.5.1.18. Other versions may also be affected.

This vulnerability affects /admin.php.

The impact of this vulnerability

This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

 

How to fix this vulnerability

Edit the source code to ensure that input is properly sanitised

 

 

Directories with write permissions enabled

Web Scanner was able to create a test file in this directory. The name of the file created is Web_Scanner_Test_File.txt. You should remove this file after setting proper permissions.

This vulnerability affects /.

The impact of this vulnerability

Unauthenticated users can create files on this directory.

How to fix this vulnerability

Verify directory permissions and check if write access is required.

 

TRACE Method Enabled

HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACE Method on the web server.

 

 

 

 

 

 

[darkfreaks]

TRACK Method Enabled

HTTP TRACK method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACK method. Additionally, IIS 5 does not log requests made with TRACK method.

This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACK functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACK Method on the web server

 

GHDB: DCForum password file

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.

Category : Files containing passwords

 

DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)

This vulnerability affects /auth_user_file.txt.

The impact of this vulnerability

Not available. Check description.

Attack details

We found

allinurl:auth_user_file.txt

GHDB: PHP configuration file (php.ini)

Vulnerability description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.

 

Category : Files containing juicy info

 

The php.ini file contains all the configuration for how PHP is parsed on a server. It can contain default database usernames, passwords, hostnames, IP addresses, ports, initialization of global variables and other information. Since it is found by default in /etc, you might be able to find a lot more unrelated information in the same directory.

This vulnerability affects /php.ini.

The impact of this vulnerability

Not available. Check description.

Attack details

We found

inurl:php.ini filetype:ini

 

GHDB: Possible sensitive Access forum database

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.

Category : Files containing juicy info

 

Microsoft Access databases containing 'forum' information ..

This vulnerability affects /wwForum.mdb.

The impact of this vulnerability

Not available. Check description.

 

Attack details

We found

inurl:forum filetype:mdb

 

 

GHDB: Web Wiz Forum database

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.

 

Category : Files containing passwords

 

Web Wiz Forums is a free ASP Bulletin Board software package. It uses a Microsoft Access database for storage. The installation instructions clearly indicate to change the default path and filename (admin/database/wwForum.mdb). vendor: http://www.webwizguide.info/web_wiz_forums/ The forum database contains the members passwords, either encrypted or in plain text, depending on the version. Please note: this search is proof that results can stay in Google's index for a long time, even when they are not on the site any longer. Currently only 2 out of 9 are actually still downloadable by an attacker.

This vulnerability affects /wwForum.mdb.

The impact of this vulnerability

Not available. Check description.

 

Attack details

We found

filetype:mdb wwforum

[Coreye]

They need to have a 'town=9' after it, there are no links to view.php just.

 

That's the point. By injecting unexpected data into a parameter it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information.