Profile System / Gallery

[UrbanTwitch]

In the past few months, I've been coding. I have been making a profile system along with a gallary. If you would, please take the time to visit my site and beta test for ANY kind of bugs you see. Weather it be style, coded, or even generic bugs. Post' em.

 

http://sodadome.com

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when logging in and it executes on the next page.

 

Cross Site Scripting(XSS):

You can submit ">code when adding comments to the news articles.

 

Cross Site Scripting(XSS):

You can submit ">code when sending PM's.

 

Includes directory:

http://sodadome.com/includes/

 

Full Path Path Disclosure:

http://sodadome.com/includes/footer.php

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 7

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 7

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 7

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 8

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 8

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 8

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 9

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 9

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 9

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 10

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 10

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 10

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 11

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 11

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 12

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'jsfdan'@'localhost' (using password: NO) in /home/jsfdan/public_html/includes/footer.php on line 14

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/jsfdan/public_html/includes/footer.php on line 14

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/jsfdan/public_html/includes/footer.php on line 14

 

Full Path Disclosure:

http://sodadome.com/reg.php

Fatal error: Cannot redeclare protect() (previously declared in /home/jsfdan/public_html/config.php:50) in /home/jsfdan/public_html/config.php on line 60

 

Full Path Disclosure:

http://sodadome.com/CaptchaSecurityImages.php?width[]

Fatal error: Unsupported operand types in /home/jsfdan/public_html/CaptchaSecurityImages.php on line 52

 

Full Path Disclosure:

http://sodadome.com/friendrequest.php?user[]

Warning: htmlspecialchars() expects parameter 1 to be string, array given in /home/jsfdan/public_html/friendrequest.php on line 23

[UrbanTwitch]

No worries about the full path closure. How do I remove the ability to post scripts in the areas you mentioned and how did get a blank username getting passed the filter?