sstangle73 Posted August 13, 2008 Share Posted August 13, 2008 guys i would like to hear everything you have for this system all possible errors i made i would like to fix thanks alot =] test.stangle.info test account: user: testaccount pass: testing or make your own up to you =] thanks again Link to comment Share on other sites More sharing options...
waynew Posted August 13, 2008 Share Posted August 13, 2008 I can't seem to register? It's telling me that the email has to be unique. I've tried a few emails now. Link to comment Share on other sites More sharing options...
sstangle73 Posted August 13, 2008 Author Share Posted August 13, 2008 im not sure why that is the case i just went and was able to register on firefox with out a problem but what i did just find out it is always fails on IE . . . greattt! haha ill b looking into that. Link to comment Share on other sites More sharing options...
Dead6re Posted August 13, 2008 Share Posted August 13, 2008 Unclear error message too, since it seems to be wrong. [attachment deleted by admin] Link to comment Share on other sites More sharing options...
sstangle73 Posted August 13, 2008 Author Share Posted August 13, 2008 . . . but what i did just find out it is always fails on IE . . . greattt! haha ill b looking into that. yeah that is what i was talking about and am looking into currently. thanks. i am a little stumped at this point. started a help topic http://www.phpfreaks.com/forums/index.php/topic,211708.0.html Link to comment Share on other sites More sharing options...
jkewlo Posted August 19, 2008 Share Posted August 19, 2008 eh a bit big eh? Link to comment Share on other sites More sharing options...
sstangle73 Posted August 19, 2008 Author Share Posted August 19, 2008 all working now test the shit out of it thanks everyone Link to comment Share on other sites More sharing options...
darkfreaks Posted August 19, 2008 Share Posted August 19, 2008 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1 This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+). Affected Apache versions (up to 1.3.34/2.0.57/2.2.1). This vulnerability affects Web Server. The impact of this vulnerability Malicious users may inject JavaScript, not allowed, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. How to fix this vulnerability Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2) Input Type Password Autocomplete Enabled Password type input has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: < INPUT TYPE="password" AUTOCOMPLETE="off" > User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Apache Mod_Rewrite Off-By-One This alert was generated using only banner information. It may be a false positive.Apache mod_rewrite is prone to an off-by-one buffer-overflow condition. The vulnerability arising in the mod_rewrite module's ldap scheme handling allows for potential memory corruption when an attacker exploits certain rewrite rules. Affected Apache versions: Apache 1.3.28 - 1.3.36 with mod_rewrite Apache 2.2.0 - 2.2.2 with mod_rewrite Apache 2.0.46 - 2.0.58 with mod_rewrite The impact of this vulnerability An attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may also be possible. How to fix this vulnerability Upgrade Apache to the latest version. Link to comment Share on other sites More sharing options...
Jeigh Posted August 21, 2008 Share Posted August 21, 2008 I managed to sign up the username 'testaccount' again (twice). You'll notice now if you try logging in with the username 'testaccount' and password 'sj2383mds' or 'testtest' it will still log in. I'm not expert on the matter but this was achieved through MySQL truncation, I signed up with the username: testaccount x (going over the maximum allowed limit in the database) So when it checks if the username already exists it dosnt (since it has the x on the end) but in the database it will still be 'testaccount' without the x since it went over the limit. The error did come up saying I was using too many characters but it still let me submit and processed it anyway. Make sure you don't let people enter anymore than 50 in the input area and also check the input in PHP before inserting rather that just with Ajax. Link to comment Share on other sites More sharing options...
Recommended Posts