dropfaith Posted October 9, 2008 Share Posted October 9, 2008 http://lawrenceguide.org/user/index.php so all my user submited values are mysql real escaped string and inside the Member section anyone care to test out the security of it all?? i know i still need to organize the user menus a bit but i want to make sure its secure before i really get into that step UserName: phpfreaks Password: phpfreaks Link to comment Share on other sites More sharing options...
Coreye Posted October 9, 2008 Share Posted October 9, 2008 Full Path Disclosure: http://lawrenceguide.org/radio/index.php Warning: include(template/siteheaders.html) [function.include]: failed to open stream: No such file or directory in /home/www/lawrenceguide.org/www/radio/index.php on line 51 Warning: include() [function.include]: Failed opening 'template/siteheaders.html' for inclusion (include_path='.:/usr/share/php') in /home/www/lawrenceguide.org/www/radio/index.php on line 51 Full Path Disclosure: http://lawrenceguide.org/restuarant/byreview.php Warning: include(template/siteheaders.html) [function.include]: failed to open stream: No such file or directory in /home/www/lawrenceguide.org/www/restuarant/byreview.php on line 92 Warning: include() [function.include]: Failed opening 'template/siteheaders.html' for inclusion (include_path='.:/usr/share/php') in /home/www/lawrenceguide.org/www/restuarant/byreview.php on line 92 Full Path Disclosure: http://lawrenceguide.org/literature/byauthor.php?Author[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/literature/byauthor.php on line 53 Full Path Disclosure: http://lawrenceguide.org/rideshare/profile.php Notice: Undefined index: Id in /home/www/lawrenceguide.org/www/rideshare/profile.php on line 53 Full Path Disclosure: http://lawrenceguide.org/rideshare/profile.php?Id[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/rideshare/profile.php on line 53 Full Path Disclosure: http://lawrenceguide.org/services/services.php Notice: Undefined index: Stype in /home/www/lawrenceguide.org/www/services/services.php on line 51 Full Path Disclosure: http://lawrenceguide.org/services/services.php?Stype[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/services/services.php on line 51 Full Path Disclosure: http://lawrenceguide.org/events/events.php Notice: Undefined index: Type in /home/www/lawrenceguide.org/www/events/events.php on line 70 Full Path Disclosure: http://lawrenceguide.org/events/events.php?Type[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/events/events.php on line 70 Notice: Undefined variable: row in /home/www/lawrenceguide.org/www/events/events.php on line 6 Notice: Trying to get property of non-object in/home/www/lawrenceguide.org/www/events/events.php on line 6 Full Path Disclosure: http://lawrenceguide.org/business/businesstype.php Notice: Undefined index: Type in /home/www/lawrenceguide.org/www/business/businesstype.php on line 57 Full Path Disclosure: http://lawrenceguide.org/business/businesstype.php?Type[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/business/businesstype.php on line 57 Full Path Disclosure: http://lawrenceguide.org/links/links.php Notice: Undefined index: Type in /home/www/lawrenceguide.org/www/links/links.php on line 51 Full Path Disclosure: http://lawrenceguide.org/links/links.php?Type[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/links/links.php on line 51 Full Path Disclosure: http://lawrenceguide.org/film/profile.php Notice: Undefined index: MovieName in /home/www/lawrenceguide.org/www/film/profile.php on line 53 Full Path Disclosure: http://lawrenceguide.org/events/profile.php?Id[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/events/profile.php on line 14 Notice: Array to string conversion in /home/www/lawrenceguide.org/www/events/profile.php on line 87 Full Path Disclosure: http://lawrenceguide.org/restuarant/foodtype.php?Type[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/foodtype.php on line 18 Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/foodtype.php on line 108 Link to comment Share on other sites More sharing options...
dropfaith Posted October 9, 2008 Author Share Posted October 9, 2008 odd i thought i cleared the Full Path Disclosure: guess i missed alot of them Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/foodtype.php on line 18 i have no idea how to fix those? any advice? Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 okay all those are fixed finally anything else? i really need someone to check in the user system its what im most worried about username: phpfreaks Password: phpfreaks Link to comment Share on other sites More sharing options...
Coreye Posted October 11, 2008 Share Posted October 11, 2008 Cross Site Scripting(XSS): You can submit ">code when adding rides. Cross Site Scripting(XSS): You can submit ">code when adding movie reviews. Cross Site Scripting(XSS): You can submit ">code when adding artists. Cross Site Scripting(XSS): You can submit ">code when adding stories. Cross Site Scripting(XSS): You can submit ">code when adding events. Cross Site Scripting(XSS): You can submit ">code when adding services. Cross Site Scripting(XSS): You can submit ">code when adding links. SQL Error: When adding an artist. Error in query: INSERT INTO Art (Contact, Name, About, Medium, loginid, Website) VALUES('\\\"> Full Path Disclosure: http://www.lawrenceguide.org/film/theatre.php Warning: include(template/siteheaders.html) [function.include]: failed to open stream: No such file or directory in /home/www/lawrenceguide.org/www/film/theatre.php on line 95 Warning: include() [function.include]: Failed opening 'template/siteheaders.html' for inclusion (include_path='.:/usr/share/php') in /home/www/lawrenceguide.org/www/film/theatre.php on line 95 Full Path Disclosure: http://www.lawrenceguide.org/restuarant/profile.php?Name[] Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/profile.php on line 18 Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/profile.php on line 88 Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/profile.php on line 177 Notice: Array to string conversion in /home/www/lawrenceguide.org/www/restuarant/profile.php on line 292 Link to comment Share on other sites More sharing options...
dropfaith Posted October 11, 2008 Author Share Posted October 11, 2008 god i suck all those are fixed except the error adding an artist as i dont seem to get it ever and things submit fine i added $Contact = htmlentities($cContact,ENT_QUOTES,"utf-8"); on everything that enters the db Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 SQL injection passed/XSS injection passed Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 im also blocking any html entries via a javascript (i know not secure client side but ill make a server side one once i fiqure out how you think im secure for user inputs (seeing is the entire site needs them to run) Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 With XSS me and SQL inject me i can only test user input forms on the site. if you wish me to use my professional scanner i can? Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 please do if you have the time i have everything on the server backed up on my harddrive including the current sql file for the entire database so all i need to do is reupload it all if anything goes wrong.. So do as much as you feel like as for testing the security Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 XSS: template/contact.php Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 is that all you found? i didnt even think to check that i just checked my email had had like 65 emails from it tho haha i wasnt sure you needed to xss secure those it never goes to the db or connects? ill do it tho wont be a long fix Thanks Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 SQL Injection: news.php rides.php contact.php index.php lostpassword.php register.php profile.php businesstype.php bygenre.php permalink.php reviews.php Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 wait what? im not seeing any input fields on any of those and cant get the [] to get full path disclosure. what exactly is going on for those pages how should i fix them (other then contact thats unsecure i know this Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 mysql_real_escape_string(),trim() should escape most of that Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 trim() im new to php for the most part should i add trim to everything i have mysql escape string on? im gonna change all the MYsql escape string to the real escape string tommorrow seems like the more used code im pretty sure mysql_real_escape_string is on all my get functions which is where im assuming your injecting from on those pages Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 just so you know mysql_escape_string is out dated trim() makes sure there is no empty spaces or it is not NULL Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 yea i know its outdated found out the other day when fixing some security holes i missed . got alot to fix gonna have to open up like 100 pages in an html edit program and replace all im still confused as to how your doing sql injection pn pages that arent connected to a database at all. they dont even all have a db connect file like contact and index never see my db .. my news page is below as well i have no idea how to secure that its db driven theres no form to submit data tho i just log into phpmyadmin for it .. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title><?php include("template/sitename.html"); ?> News Section</title> <meta name="description" content="News Section at <?php include("template/sitename.html"); ?> Your connection to the <?php include("template/location.html"); ?> music, Art, Literature, scene." /> <meta name="keywords" content="<?php include("template/location.html"); ?> Artists, <?php include("template/location.html"); ?> Shows, Rideshare Board, <?php include("template/location.html"); ?> Stories, <?php include("template/location.html"); ?> Business, <?php include("template/location.html"); ?> restuarants, <?php include("template/location.html"); ?> Radio, <?php include("template/location.html"); ?> Bands, <?php include("template/location.html"); ?> art, <?php include("template/location.html"); ?> artists, <?php include("template/location.html"); ?> Music, " /> <?php include("template/meta.html"); ?> </head> <body> <div class="contain"> <!-- start Header --> <div class="header"><?php include("template/header.html"); ?></div> <!-- End Header Start TopNav --> <div id="listmenu"> <?php include("template/topnav.html"); ?> </div> <div class="clear"></div> <!-- End Top Nav Start left Side Nav --> <!-- End left Side Nav Start Ad Content Right Side--> <div class="ad"> <?php include("template/ads.html"); ?> </div> <!--End Ad Right Side Start Center Main Conent --> <div class="content"> <?php // includes include("template/conf.php"); // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // find out how many rows are in the table $sql = "SELECT COUNT(*) FROM news"; $result = mysql_query($sql, $connection) or trigger_error("SQL", E_USER_ERROR); $r = mysql_fetch_row($result); $numrows = $r[0]; // number of rows to show per page $rowsperpage = 1; // find out total pages $totalpages = ceil($numrows / $rowsperpage); // get the current page or set a default if (isset($_GET['currentpage']) && is_numeric($_GET['currentpage'])) { // cast var as int $currentpage = (int) $_GET['currentpage']; } else { // default page num $currentpage = 1; } // end if // if current page is greater than total pages... if ($currentpage > $totalpages) { // set current page to last page $currentpage = $totalpages; } // end if // if current page is less than first page... if ($currentpage < 1) { // set current page to first page $currentpage = 1; } // end if // the offset of the list, based on current page $offset = ($currentpage - 1) * $rowsperpage; // get the info from the db $sql = "SELECT * FROM news order by Id asc LIMIT $offset, $rowsperpage"; $result = mysql_query($sql, $connection) or trigger_error("SQL", E_USER_ERROR); // while there are rows to be fetched... while ($list = mysql_fetch_assoc($result)) { // echo data echo "<div class=\"story\">"; echo "<div class=\"title\"><a style=\"text-decoration:none;\" href=\"permalink.php?Id=". $list['Id'] . "\">". $list['Title'] . "</a></div>"; echo "<div class=\"date\">". $list['Date'] . "</div>"; echo "<div class=\"fullnews\">". $list['News'] . "</div>"; } // end while echo "<div class=\"date\" style=\"text-align:center\">"; /****** build the pagination links ******/ // range of num links to show $range = 3; // if not on page 1, don't show back links if ($currentpage > 1) { // show << link to go back to page 1 echo " <a href='{$_SERVER['PHP_SELF']}?currentpage=1'>Oldest News</a> "; // get previous page num $prevpage = $currentpage - 1; // show < link to go back to 1 page echo " <a href='{$_SERVER['PHP_SELF']}?currentpage=$prevpage'>Previous Page</a> "; } // end if // if not on last page, show forward and last page links if ($currentpage != $totalpages) { // get next page $nextpage = $currentpage + 1; // echo forward link for next page echo " <a href='{$_SERVER['PHP_SELF']}?currentpage=$nextpage'>Next Page</a> "; // echo forward link for lastpage echo " <a href='{$_SERVER['PHP_SELF']}?currentpage=$totalpages'>Most Recent</a> "; } // end if /****** end build pagination links ******/ echo "</div>"; echo "</div>"; ?> </div> <!-- End Center Main Conent --> <div class="clear"></div> <!-- footer --> <div class="footer"> <?php include("template/footer.html"); ?> </div> <!--end footer --> </div> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var pageTracker = _gat._getTracker("UA-5689346-3"); pageTracker._trackPageview(); </script> </body> </html> Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 it does connect to a DB the news page just make sure you output all the variables with those functions to avoid SQL attacks. Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 right news does but the main index page and contact never touch a database? ill be escaping everything with trim() when i do the real escape string but the contact page is the confusing one mainly cause it just emails me in fact i have about 200 emails right now i just added some security to it not much but i added htmlenities and escape string. Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 yeah your being botted by spambots. if you have a hidden field or input field with the email adress try something in java script like <script language=javascript> <!-- var username = "username"; var hostname = "yourdomain.com"; var linktext = username + "@" + hostname; document.write("<input type=hidden name=email value=" +username + "@" + hostname" + ">"; document.write(username + "@" + hostname); //--> </script> Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 my email address isnt in a hidden field its in the php on template/contact.php god i suck with security <form method="post" action="template/contact.php"> <?php $ipi = getenv("REMOTE_ADDR"); $httprefi = getenv ("HTTP_REFERER"); $httpagenti = getenv ("HTTP_USER_AGENT"); ?> <input type="hidden" name="ip" value="<?php echo $ipi ?>" /> <input type="hidden" name="httpref" value="<?php echo $httprefi ?>" /> <input type="hidden" name="httpagent" value="<?php echo $httpagenti ?>" /> <p><label>Name: </label> <input type="text" name="name" size="40" /><br /></p> <p><label>Subject: </label> <select name="subject" style="width:150px;"> <option value="Advertise">Advertise</option> <option value="Support">Support</option> <option value="Web_Design">Web Master</option> <option value="Problem">Problem</option> </select> <br /></p> <p> <label>Email:</label> <input type="text" name="email" size="40" /><br /></p><p> <label>Comments:</label><textarea rows="5" name="message" cols="30"></textarea><br /></p> <p><input type="submit" name="submit" value="Send!"/></p> </form> template/contact.php <?php $cip = mysql_escape_string('ip'];']); $chttpref = mysql_escape_string('httpref'];']); $chttpagent = mysql_escape_string('httpagent'];']); $cname = mysql_escape_string('name'];']); $cemail = mysql_escape_string('email'];']); $cmessage = mysql_escape_string('message'];']); $csubject = mysql_escape_string('subject'];']); $ip = htmlentities($ccip,ENT_QUOTES,"utf-8"); $httpref = htmlentities($chttpref,ENT_QUOTES,"utf-8"); $httpagent = htmlentities($chttpagent,ENT_QUOTES,"utf-8"); $name = htmlentities($cname,ENT_QUOTES,"utf-8"); $email = htmlentities($cemail,ENT_QUOTES,"utf-8"); $message = htmlentities($cmessage,ENT_QUOTES,"utf-8"); $subject = htmlentities($csubject,ENT_QUOTES,"utf-8"); if (eregi('http:', $message)) { die ("Do NOT try that! ! "); } if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) { echo "<h2>Use Back - Enter valid e-mail</h2>\n"; $badinput = "<h2>Feedback was NOT submitted</h2>\n"; echo $badinput; die ("Go back! ! "); } if(empty($name) || empty($email) || empty($message )) { echo "<h2>Use Back - fill in all fields</h2>\n"; die ("Use back! ! "); } $todayis = date("l, F j, Y, g:i a") ; $subject = $subject; $message = stripcslashes($message); $message1 = " $todayis [EST] \n Subject: $subject \n Message: $message \n From: $name ($email)\n Additional Info : IP = $ip \n Browser Info: $httpagent \n Referral : $httpref \n "; $from = "From: $email\r\n"; mail("dropfaith@gmail.com", $subject, $message1, $from); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 ok where your email is now between quotes put <script language=javascript> <!-- var username = "dropfaith"; var hostname = "gmail.com"; var linktext = username + "@" + hostname; document.write(username + "@" + hostname) //--> </script> Link to comment Share on other sites More sharing options...
dropfaith Posted October 13, 2008 Author Share Posted October 13, 2008 Its triggering the bad input for email address? even tho im typing valid emails in not sure what cuased that <?php $cip = mysql_escape_string('ip'); $chttpref = mysql_escape_string('httpref'); $chttpagent = mysql_escape_string('httpagent'); $cname = mysql_escape_string('name'); $cemail = mysql_escape_string('email'); $cmessage = mysql_escape_string('message'); $csubject = mysql_escape_string('subject'); $ip = htmlentities($cip,ENT_QUOTES,"utf-8"); $httpref = htmlentities($chttpref,ENT_QUOTES,"utf-8"); $httpagent = htmlentities($chttpagent,ENT_QUOTES,"utf-8"); $name = htmlentities($cname,ENT_QUOTES,"utf-8"); $email = htmlentities($cemail,ENT_QUOTES,"utf-8"); $message = htmlentities($cmessage,ENT_QUOTES,"utf-8"); $subject = htmlentities($csubject,ENT_QUOTES,"utf-8"); if (eregi('http:', $message)) { die ("Do NOT try that! ! "); } if(!$email == "" && (!strstr($email,"@") || !strstr($email,"."))) { echo "<h2>Use Back - Enter valid e-mail</h2>\n"; $badinput = "<h2>Feedback was NOT submitted</h2>\n"; echo $badinput; die ("Go back! ! "); } if(empty($name) || empty($email) || empty($message )) { echo "<h2>Use Back - fill in all fields</h2>\n"; die ("Use back! ! "); } $todayis = date("l, F j, Y, g:i a") ; $subject = $subject; $message = stripcslashes($message); $message1 = " $todayis [EST] \n Subject: $subject \n Message: $message \n From: $name ($email)\n Additional Info : IP = $ip \n Browser Info: $httpagent \n Referral : $httpref \n "; $from = "From: $email\r\n"; mail("<script language=javascript> <!-- var username = \"dropfaith\"; var hostname = \"gmail.com\"; var linktext = username + \"@\" + hostname; document.write(username + \"@\" + hostname) //--> </script> ", $subject, $message1, $from); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted October 13, 2008 Share Posted October 13, 2008 try putting the javascript in a variable called $myemail= "javascript here"; then in the mail code put mail($myemail,$message1,$subject,$from); Link to comment Share on other sites More sharing options...
Recommended Posts