skiingguru1611 Posted August 27, 2008 Share Posted August 27, 2008 I have been working on this site for a local lacrosse tournament and I am pretty much done. I need to check for any security holes before I go any further. I'm sure there will be alot, and might need help figuring out how to fix them. http://www.tullycornfieldclassic.com Thanks Link to comment Share on other sites More sharing options...
Coreye Posted August 27, 2008 Share Posted August 27, 2008 Cross Site Scripting (XSS): You can add ">code when adding or editing values using admin.php. Full Path Disclosure: http://www.tullycornfieldclassic.com/insert.php Warning: include(../Login/include/session.php) [function.include]: failed to open stream: No such file or directory in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/insert.php on line 1 Warning: include() [function.include]: Failed opening '../Login/include/session.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/insert.php on line 1 Full Path Disclosure: http://www.tullycornfieldclassic.com/admin.php Warning: mysql_num_fields(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 92 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 93 not selected contains fields. Warning: mysql_num_fields(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 241 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 242 Link to comment Share on other sites More sharing options...
darkfreaks Posted August 27, 2008 Share Posted August 27, 2008 Cross site Scripting(XSS) : Found in: insert.php Solution: strip_tags(),trim() Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 28, 2008 Author Share Posted August 28, 2008 Cross Site Scripting (XSS): You can add ">code when adding or editing values using admin.php. That page is not going to be viewable by the public..only me and one other person will have access, I just haven't gotten the chance to secure it. Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 28, 2008 Author Share Posted August 28, 2008 How do I secure insert.php, for both the XSS and Full Path disclosure?? I don't think I have to worry about admin.php, because no one will be able to access it. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 28, 2008 Share Posted August 28, 2008 to secure insert.php use trim(),strip_tags() this will 100 percent work Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Where do I add the tags exactly, I have no experience with them. Here is the code for insert.php <?php include("../Login/include/session.php");?> <?php $username="censored"; $password="censored"; $database="censored"; $coach="$user"; $first=$_POST['first']; $last=$_POST['last']; $title=$_POST['title']; $college=$_POST['college']; $division=$_POST['division']; $phone=$_POST['phone']; $cell=$_POST['cell']; $email=$_POST['email']; mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')"; mysql_query($query); mysql_close(); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 <?php include("../Login/include/session.php");?> <?php $username="censored"; $password="censored"; $database="censored"; $coach="$user"; $first=trim(strip_tags($_POST['first'])); $last=trim(strip_tags($_POST['last'])); $title=trim(strip_tags($_POST['title'])) $college=trim(strip_tags($_POST['college'])); $division=trim(strip_tags($_POST['division'])); $phone=trim(strip_tags($_POST['phone'])); $cell=$_POST['cell']; $email=$_POST['email']; mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')"; mysql_query($query); mysql_close(); ?> Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 what about the "cell" and "email" variables? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 yeah sorry didnt see those Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Alright, I'll add it. I have 2 more files on the site almost exactly like that just for different forms, but neither you nor corey mentioned them...should i add the trim() and strip_tags() functions to those too? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 ill test it again and let you know Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Alright thanks. They are in different directories though. Like one is ../Login/insertinfo.php and the other is ../Login/insertroster.php Just in case that makes a difference. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 which one did you fix? it still is finding XSS on insert.php? Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 I just re-uploaded the files...I fixed all 3...sorry, can you try once more? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 try adding mysql_real_escape_string() see if that fixed it :-\ Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Add that to where? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 trim(strip_tags(mysql_real_escape_string($_POST['variable']))); Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Alright, I added that to insert.php EDIT: I've now added it to all 3 pages, and made some corrections on all that I messed up while editing it the first time. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 still happening maybe if i tell you what is going on injection wise you can fix it. but all the variables on insert.php are being manipulated. here is a few examples Attack details The POST variable last has been set to . Attack details The POST variable last has been set to 268435455. Attack details The POST variable last has been set to NULL. Attack details The POST variable last has been set to -1.0. Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 I don't have anything that restricts use of certain characters or that makes sure something is typed in. Could that be causing it? If so, how would I add that stuff, I'm still kind of new to this and haven't quite learned that yet. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 well one way is to make sure they are set like if(!empty($_POST['variable'])){// code here } this will make sure it is not set to NULL or empty the variables i mean. also try using this function it works great http://kallahar.com/smallprojects/php_xss_filter_function.php Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 Sorry, but where exactly do I put that function? Also, would this work? $variable=if(!empty(trim(strip_tags(mysql_real_escape_string($_POST['variable'])))); What would happen if the variable was NULL, I think it would mess up the rest of the code. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2008 Share Posted August 29, 2008 what i usually do is put it inside a file called function.php then when i want to call the function i include that page then put RemoveXSS($_POST['variable']); to call it Link to comment Share on other sites More sharing options...
skiingguru1611 Posted August 29, 2008 Author Share Posted August 29, 2008 okay, i'll do that. Also, i edited my previous post, please read it. Link to comment Share on other sites More sharing options...
Recommended Posts