marksie1988 Posted September 4, 2008 Share Posted September 4, 2008 Please could you check this new project for bugs and security issues username and password are demo http://blconline.co.uk/mileagedemo/ if you notice something please let me know as i dont know how to check security vulnerabilities but if someone told me how to on the main ones like xss that would be ace i know that the pages arent validating in w3c i will be fixing this soon Thanks Steve Link to comment Share on other sites More sharing options...
darkfreaks Posted September 4, 2008 Share Posted September 4, 2008 Input Type Password Autocomplete Enabled Password type input named pass from unnamed form with action has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to < INPUT TYPE="password" AUTOCOMPLETE="off" > User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 Cross Site Scripting Files affected: addmiles.php,viewmiles.php,member.php Solution: filter your variables with strip_tags(),trim(),mysql_real_escape_string() and htmlspecialchars() Fatal error: Call to undefined function pdf_new() in /home/marksie/blconline/mileagedemo/pdf.php on line 17 Link to comment Share on other sites More sharing options...
marksie1988 Posted September 5, 2008 Author Share Posted September 5, 2008 Cross Site Scripting Files affected: addmiles.php,viewmiles.php,member.php Solution: filter your variables with strip_tags(),trim(),mysql_real_escape_string() and htmlspecialchars() Fatal error: Call to undefined function pdf_new() in /home/marksie/blconline/mileagedemo/pdf.php on line 17 is there another way that i can create a pdf without using pdflib ? it will only work on some servers yet i want one that will work on all? Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 not really what is your code ??? it could have errors Note: PDF functions in PHP 4 while they work were never compiled. Please Upgrade your PHP version to PHP 5. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 also if you are already upgraded to PHP 5 or 6 please make sure it is PDF_new() and not pdf_new however if you are using free pdf(FPDF) you would use new_FPDF() instead of PDFLIB's version of PDF_new() Link to comment Share on other sites More sharing options...
marksie1988 Posted September 5, 2008 Author Share Posted September 5, 2008 this is the code that i am using for my pdf and this is the error Fatal error: Call to undefined function pdf_new() in /home/******/blconline/mileagedemo/pdf.php on line 17 <?php require_once("inc/DbConnector.php"); // Include the database class $db = new DbConnector(); // Create an instance of the database class $db->connect(); // Connect to the database $from = strtotime($_POST['input1']); $to = strtotime($_POST['input2']); $user = $_POST['uid']; $query_rsReportData = "SELECT * FROM mileage WHERE userid='$user' AND `datedone` BETWEEN $from AND $to ORDER BY datedone DESC"; $rsReportData = mysql_query($query_rsReportData) or die(mysql_error()); $row_rsReportData = mysql_fetch_assoc($rsReportData); $totalRows_rsReportData = mysql_num_rows($rsReportData); ?> <?php // create handle for new PDF document $pdf = pdf_new(); // open a file pdf_open_file($pdf, ""); // Set Info pdf_set_info($pdf, "Author", "Hyena Mileage Tracker"); pdf_set_info($pdf, "Title", "Report"); pdf_set_info($pdf, "Creator", "Hyena Mileage Tracker"); pdf_set_info($pdf, "Subject", "Report"); // start a new page (A4) pdf_begin_page($pdf, 595, 842); // path of your TTF font directory // e.g. /home/username/public_html/hmt/fonts $fontdir = "/home/******/blconline/mileagedemo/fonts"; // Open .TTFs (true type fonts) pdf_set_parameter($pdf, "FontOutline", "ArialItalic=$fontdir/ariali.ttf"); pdf_set_parameter($pdf, "FontOutline", "ArialBold=$fontdir/arialbd.ttf"); pdf_set_parameter($pdf, "FontOutline", "Arial=$fontdir/arial.ttf"); // ------ Start output of the PDF Content ------// // set the font - Arial Bold 15 $font = pdf_findfont($pdf, "ArialBold", "host",0); pdf_setfont($pdf, $font, 15); // output document title pdf_show_xy($pdf, "Mileage Report", 50, 788); // draw a line pdf_moveto($pdf, 20, 780); pdf_lineto($pdf, 575, 780); pdf_stroke($pdf); // set the font - Arial Italic 12 $font = pdf_findfont($pdf, "ArialItalic", "host",0); pdf_setfont($pdf, $font, 12); $y = 750; // output data header pdf_show_xy($pdf, "Date Done ", 50, $y); pdf_show_xy($pdf, "Miles", 150, $y); pdf_show_xy($pdf, "Destination", 200, $y); pdf_show_xy($pdf, "Reason", 300, $y); $y -= 5; // set the font - Arial 10 $font = pdf_findfont($pdf, "Arial", "host",0); pdf_setfont($pdf, $font, 10); // output the data from Database do { $date = $row_rsReportData['datedone']; $date = gmdate("d-m-Y", $date); $y -= 15; pdf_show_xy($pdf, $date, 50, $y); pdf_show_xy($pdf, $row_rsReportData['miles'], 150, $y); pdf_show_xy($pdf, $row_rsReportData['destination'], 200, $y); pdf_show_xy($pdf, $row_rsReportData['reason'], 300, $y); } while ($row_rsReportData = mysql_fetch_assoc($rsReportData)); // draw a line pdf_moveto($pdf, 20, 50); pdf_lineto($pdf, 575, 50); pdf_stroke($pdf); // output document title pdf_show_xy($pdf, "", 50, 788); // ------ End output of the PDF Content ------// // end page pdf_end_page($pdf); // close and save file pdf_close($pdf); $buf = pdf_get_buffer($pdf); $len = strlen($buf); header("Content-type: application/pdf"); header("Content-Length: $len"); header("Content-Disposition: inline; filename=report.pdf"); echo $buf; pdf_delete($pdf); ?> <?php mysql_free_result($rsReportData); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 $pdf = pdf_new(); should be: <?php $pdf = PDF_new();?> Link to comment Share on other sites More sharing options...
Maq Posted September 5, 2008 Share Posted September 5, 2008 Not sure if this is a bug or you may have not got to this yet but here's what I did: I logged in on the demo name and clicked on "Add Miles" and put these values in these fields. Miles Done: asdf Reason For Travel: cause i wanted to Destination: mars Date Miles Done: asdf Clicked on "Add Miles" and it brought me to a page that said, "Miles Added Successfully Go Back" but nothing was added. I'm guessing if you don't have an incorrect type in the, 'Miles Done:' field or an incorrect date in the, 'Date Miles Done:' textfield than it just doesn't add this to the DB. Probably check these fields with some javascript. Link to comment Share on other sites More sharing options...
marksie1988 Posted September 5, 2008 Author Share Posted September 5, 2008 $pdf = pdf_new(); should be: <?php $pdf = PDF_new();?> i changed the line but still get the same error Link to comment Share on other sites More sharing options...
marksie1988 Posted September 5, 2008 Author Share Posted September 5, 2008 Not sure if this is a bug or you may have not got to this yet but here's what I did: I logged in on the demo name and clicked on "Add Miles" and put these values in these fields. Miles Done: asdf Reason For Travel: cause i wanted to Destination: mars Date Miles Done: asdf Clicked on "Add Miles" and it brought me to a page that said, "Miles Added Successfully Go Back" but nothing was added. I'm guessing if you don't have an incorrect type in the, 'Miles Done:' field or an incorrect date in the, 'Date Miles Done:' textfield than it just doesn't add this to the DB. Probably check these fields with some javascript. hi, i have just updated this now but yes you are correct i forgot about the fact that people could type text into miles done: but i will fix this soon. as for it not addint the miles that was due to me missing a bit of code out but i fixed that now EDIT: when i add the miles with text in the miles done it does add the miles but puts it as a 0 Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 did you add htmlspecialchars(), trim(), strip_tags() to addmiles.php?, viewmiles.php and members.php? also if you have please manually delete all the entires my scanner added detecting this you have 40 pages of nothing but injection attacks Link to comment Share on other sites More sharing options...
darkfreaks Posted September 5, 2008 Share Posted September 5, 2008 also you have PHPSESSID fixation in your script please read up on securing it here: http://shiflett.org/articles/session-fixation Link to comment Share on other sites More sharing options...
darkfreaks Posted September 6, 2008 Share Posted September 6, 2008 i see you cleaned up your XSS quite nicely however lets take it a step further with an XSS function this will search for javascript functions inside the script tag that is currently remove and search and replace all javascript functions inside the script tag. <?php function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab])'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13])'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; ?> Link to comment Share on other sites More sharing options...
marksie1988 Posted September 10, 2008 Author Share Posted September 10, 2008 ok i have now added the RemoveXSS function to the website and also the other things and i think it is all fixed please could you check again cheers Link to comment Share on other sites More sharing options...
darkfreaks Posted September 10, 2008 Share Posted September 10, 2008 it doeskin seem to be stripping document.title ??? are you including the functions page you included the function in ??? are you calling it like <?php include('functions.php'); $variable= RemoveXSS($variable);?> Link to comment Share on other sites More sharing options...
darkfreaks Posted September 10, 2008 Share Posted September 10, 2008 never mind you will need a separate function to do this. <?php function strip_clean($strip_clean) { $search="alert();"; $search.="document.title();"; $search.="prompt();"; $search.="confirm();"; $replace=""; return preg_replace($search,$replace,$strip_clean); }?> then to call it do something like <?php include('functions.php'); $variable= strip_clean($variable);?> Link to comment Share on other sites More sharing options...
marksie1988 Posted September 11, 2008 Author Share Posted September 11, 2008 ok i will add this function into the other one so that i don't have loads all over, will also cut down on code so faster loading Link to comment Share on other sites More sharing options...
darkfreaks Posted September 11, 2008 Share Posted September 11, 2008 let me know when its done Link to comment Share on other sites More sharing options...
Demonic Posted September 11, 2008 Share Posted September 11, 2008 BUG: When you delete 1 mileage from the overview you remove them all. Link to comment Share on other sites More sharing options...
marksie1988 Posted September 11, 2008 Author Share Posted September 11, 2008 yea i know about the deletion bug its i actually forgot to fix this, it is due to it not deleting the entry which then destroys the session meaning it doesnt know what your logged in as this will be fixed soon Link to comment Share on other sites More sharing options...
marksie1988 Posted September 11, 2008 Author Share Posted September 11, 2008 ok i added it to the removexss function but got an error saying that the delimiter cant be alphanumeric or backslash so i found the solution to that but now im getting on the line where the preg is shown but when i look online it says to use / as the modifier :S Warning: preg_replace() [function.preg-replace]: Unknown modifier '/' Link to comment Share on other sites More sharing options...
darkfreaks Posted September 11, 2008 Share Posted September 11, 2008 they have to be be seperate functions, the remove xss is based on regex and my function using search and replace functions. Link to comment Share on other sites More sharing options...
marksie1988 Posted September 11, 2008 Author Share Posted September 11, 2008 i now have them seperate and still getting it :S Link to comment Share on other sites More sharing options...
darkfreaks Posted September 11, 2008 Share Posted September 11, 2008 please paste the code Link to comment Share on other sites More sharing options...
Recommended Posts