Test Security Please - NON-DESTRUCTIVE

skiingguru1611 · August 27, 2008

I have been working on this site for a local lacrosse tournament and I am pretty much done. I need to check for any security holes before I go any further.

I'm sure there will be alot, and might need help figuring out how to fix them.

http://www.tullycornfieldclassic.com

Thanks

Coreye · August 27, 2008

Cross Site Scripting (XSS):

You can add ">code when adding or editing values using admin.php.

Full Path Disclosure:

http://www.tullycornfieldclassic.com/insert.php

Warning: include(../Login/include/session.php) [function.include]: failed to open stream: No such file or directory in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/insert.php on line 1

Warning: include() [function.include]: Failed opening '../Login/include/session.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/insert.php on line 1

Full Path Disclosure:

http://www.tullycornfieldclassic.com/admin.php

Warning: mysql_num_fields(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 92

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 93

not selected contains fields.

Warning: mysql_num_fields(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 241

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/tullyl00/domains/tullycornfieldclassic.com/public_html/admin.php on line 242

darkfreaks · August 27, 2008

Cross site Scripting(XSS) :

Found in:

insert.php

Solution:

strip_tags(),trim()

skiingguru1611 · August 28, 2008

Cross Site Scripting (XSS):

You can add ">code when adding or editing values using admin.php.

That page is not going to be viewable by the public..only me and one other person will have access, I just haven't gotten the chance to secure it.

skiingguru1611 · August 28, 2008

How do I secure insert.php, for both the XSS and Full Path disclosure??

I don't think I have to worry about admin.php, because no one will be able to access it.

darkfreaks · August 28, 2008

to secure insert.php use trim(),strip_tags() this will 100 percent work

skiingguru1611 · August 29, 2008

Where do I add the tags exactly, I have no experience with them. Here is the code for insert.php

<?php include("../Login/include/session.php");?>
<?php
$username="censored";
$password="censored";
$database="censored";

$coach="$user";

$first=$_POST['first'];
$last=$_POST['last'];
$title=$_POST['title'];
$college=$_POST['college'];
$division=$_POST['division'];
$phone=$_POST['phone'];
$cell=$_POST['cell'];
$email=$_POST['email'];

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')";
mysql_query($query); 

mysql_close();
?>

darkfreaks · August 29, 2008

<?php include("../Login/include/session.php");?>
<?php
$username="censored";
$password="censored";
$database="censored";

$coach="$user";

$first=trim(strip_tags($_POST['first']));
$last=trim(strip_tags($_POST['last']));
$title=trim(strip_tags($_POST['title']))
$college=trim(strip_tags($_POST['college']));
$division=trim(strip_tags($_POST['division']));
$phone=trim(strip_tags($_POST['phone']));
$cell=$_POST['cell'];
$email=$_POST['email'];

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO coach (id, first, last, title, college, division, phone, cell, email) VALUES ('','$first','$last','$title','$college','$division','$phone','$cell','$email')";
mysql_query($query); 

mysql_close();
?>

skiingguru1611 · August 29, 2008

what about the "cell" and "email" variables?

darkfreaks · August 29, 2008

yeah sorry didnt see those

skiingguru1611 · August 29, 2008

Alright, I'll add it.

I have 2 more files on the site almost exactly like that just for different forms, but neither you nor corey mentioned them...should i add the trim() and strip_tags() functions to those too?

darkfreaks · August 29, 2008

ill test it again and let you know

skiingguru1611 · August 29, 2008

Alright thanks. They are in different directories though. Like one is ../Login/insertinfo.php and the other is ../Login/insertroster.php

Just in case that makes a difference.

darkfreaks · August 29, 2008

which one did you fix? it still is finding XSS on insert.php?

skiingguru1611 · August 29, 2008

I just re-uploaded the files...I fixed all 3...sorry, can you try once more?

darkfreaks · August 29, 2008

try adding mysql_real_escape_string() see if that fixed it :-\

skiingguru1611 · August 29, 2008

Add that to where?

darkfreaks · August 29, 2008

trim(strip_tags(mysql_real_escape_string($_POST['variable'])));

skiingguru1611 · August 29, 2008

Alright, I added that to insert.php

EDIT: I've now added it to all 3 pages, and made some corrections on all that I messed up while editing it the first time.

darkfreaks · August 29, 2008

still happening maybe if i tell you what is going on injection wise you can fix it.

but all the variables on insert.php are being manipulated.

here is a few examples

Attack details

The POST variable last has been set to .

Attack details

The POST variable last has been set to 268435455.

Attack details

The POST variable last has been set to NULL.

Attack details

The POST variable last has been set to -1.0.

skiingguru1611 · August 29, 2008

I don't have anything that restricts use of certain characters or that makes sure something is typed in. Could that be causing it?

If so, how would I add that stuff, I'm still kind of new to this and haven't quite learned that yet.

darkfreaks · August 29, 2008

well one way is to make sure they are set like

if(!empty($_POST['variable'])){// code here
}

this will make sure it is not set to NULL or empty the variables i mean.

also try using this function it works great

http://kallahar.com/smallprojects/php_xss_filter_function.php

skiingguru1611 · August 29, 2008

Sorry, but where exactly do I put that function?

Also, would this work?

$variable=if(!empty(trim(strip_tags(mysql_real_escape_string($_POST['variable']))));

What would happen if the variable was NULL, I think it would mess up the rest of the code.

darkfreaks · August 29, 2008

what i usually do is put it inside a file called function.php then when i want to call the function i include that page then put

RemoveXSS($_POST['variable']);

to call it

skiingguru1611 · August 29, 2008

okay, i'll do that.

Also, i edited my previous post, please read it.

Sign In

Test Security Please - NON-DESTRUCTIVE

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information