looking for testers for auction script

[Renlok]

Im working on an auction script im looking for some people to test it.

download from http://sourceforge.net/project/showfiles.php?group_id=181393

and youll have to install on your localhost to test it, id be really grateful if anyone could have a look at it.

 

Well thanks in advance for any feedback.

 

http://www.webidsupport.com/

 

[waynewex]

Why not throw the script up online on 000webhost.com for testing purposes? Thats what I did for mine.

[darkfreaks]

make sure the < is encoded other than that good job

[Renlok]

make sure the < is encoded other than that good job

what do you mean by that?

[darkfreaks]

make sure the < is encoded other than that good job

what do you mean by that?

 

http://php.group.stumbleupon.com/forum/37465/ 

[Renlok]

ok and i uploaded it so its easier to test if anyone else is going to have a look

http://webid.freehostia.com/

 

admin panel:

http://webid.freehostia.com/admin/

username and password: admin

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when adding users in the admin panel and it executes on adminusers.php.

 

Cross Site Scripting(XSS):

You can submit ">code when registering.

 

Cross Site Scripting(XSS):

You can submit ">code when using the forgot password page.

 

Cross Site Scripting(XSS):

You can submit ">code when adding the 'Error E-mail Address'.

 

Cross Site Scripting(XSS):

http://webid.freehostia.com/csseditor_.php?thestyle=%22%3E%3Cmarquee%3E%3Ch1%3Etest&sel=.container&from=\&color=border

 

You can break files by inputting < into the input fields.

http://webid.freehostia.com/admin/defaultcountry.php

Parse error: parse error, unexpected '<' in /home/www/webid.freehostia.com/includes/countries.inc.php on line 3

 

http://webid.freehostia.com/admin/membertypes.php

Parse error: parse error, unexpected '<' in /home/www/webid.freehostia.com/includes/membertypes.inc.php on line 22

 

You can view csseditor_.php with out being logged in as an admin.

http://webid.freehostia.com/csseditor_.php?thestyle=themes/default/style.css&sel=.container&from=colors.php&color=border

 

Includes Directory:

http://webid.freehostia.com/includes/

 

When registering it says incorrect date format, even though it's correct.

 

Full Path Disclosure:

http://webid.freehostia.com/viewfaqs.php?cat

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 17 in /home/www/webid.freehostia.com/viewfaqs.php on line 44

[darkfreaks]

he does have alot of parse erros whoa!

[darkfreaks]

Vulnerability description

By this form input is possible to upload a file to the server.

This vulnerability affects /themes/default/sell.php.

The impact of this vulnerability

User may upload malicious files to server.

 

 

Vulnerability description

An attacker with local access could obtain the cleartext password from the browser cache.

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

 

Vulnerability description

This page contains an error/warning message that may disclose the sensitive information.The message can also contain the location of the file that produced the unhandled exception.

 

 

This vulnerability affects /forgotpasswd.php.

The impact of this vulnerability

The error messages may disclose sensitive information. This information can be used to launch further attacks.

 

 

how to fix

Properly sanitize your data with strip_tags(),trim()

[darkfreaks]

 

Vulnerability description

This page contains an error/warning message that may disclose the sensitive information.The message can also contain the location of the file that produced the unhandled exception.

 

 

This vulnerability affects /viewfaqs.php

The impact of this vulnerability

The error messages may disclose sensitive information. This information can be used to launch further attacks.

 

 

how to fix

Properly sanitize your data with strip_tags(),trim()

[Renlok]

OK one thing im curious of, after you guys found these vunerabilities http://webid.freehostia.com/ got hacked and turned into a phishing site by whoever hacked it. Could he of hacked it with the things you flagged up or would he of had of found some other vulnerability?

[Hinty]

Check your database for any javascript redirection

[Hinty]

Directory Traversal

 

On your CSS style editor found at:

http://webid.freehostia.com/csseditor_.php?thestyle=themes/default/style.css&sel=.container&from=colors.php&color=border

 

On changing the 'thestyle' to 'index.php' it edits the homepage.

This could have been how your site was hacked.

[darkfreaks]

Warning: main(loggedin.inc.php) [function.main]: failed to open stream: No such file or directory in /home/www/webid.freehostia.com/admin/home.php on line 15

 

Warning: main() [function.include]: Failed opening 'loggedin.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/www/webid.freehostia.com/admin/home.php on line 15

 

 

[Renlok]

Directory Traversal

 

On your CSS style editor found at:

http://webid.freehostia.com/csseditor_.php?thestyle=themes/default/style.css&sel=.container&from=colors.php&color=border

 

On changing the 'thestyle' to 'index.php' it edits the homepage.

This could have been how your site was hacked.

 

yeah well you can delete everything on the index page with that but you cant add anything to it other than css

[Hinty]

I could put anythin i wanted including PHP and javascript

[darkfreaks]

XSS Injection auction_watch.php:

<?php
echo "<input type=hidden name=add value=".$_REQUEST['add'].">";?>

 

Fix:

<?php
echo "<input type=hidden name=add value=".htmlspecialchars($_REQUEST['add']).">";?>

 

 

 

XSS Injection bid.php

 

<?php
print $ERR_001;?>

 

 

Fix:

<?php
print htmlspecialchars($ERR_001);?>

 

[darkfreaks]

XSS Injection closed_auctions.php

<?php
print "
<tr>
<td><br><br><span class=\"errorfont\">$ERR_100</span><br><br></td>
</tr>";
print "$ERR_001<br>$query<br>".mysql_error();

?>

Fix:

<?php
print "
<tr>
<td><br><br><span class=\"errorfont\">".htmlspecialchars($ERR_100)."</span><br><br></td>
</tr>";
print "".htmlspecialchars($ERR_001)."<br>".htmlspecialchars($query)."<br>";
if(!$query) {die(mysql_error());}

?>

[Renlok]

i dont really understand how there can be a risk of XSS with something like $ERR_001 as its just a language string which is displayed in the template

[darkfreaks]

you still can use the REQUEST variable to request the string and inject shit into it. its not foul hack proof either

 

i suggest you fix this

[Renlok]

oh right ok then. and reuploaded it to http://webid.freehostia.com/ with all the fixes so far. and thanks for your help so far.

[darkfreaks]

also when you put short tags like <?= ?> with no semicolons that is very bad.

 

use <?php ?> with semicolons after you define variables.

 

im finding alot of that in your code. 

 

also when you output PHP inside a form input  be sure to sanitize it using htmlspecialchars()

[darkfreaks]

also your sanitization is shit poor try using this function. should clean all POST variables

 

<?php 
function clean($var){
$var=trim(strip_tags(mysql_real_escape_string($var)));
$var=htmlspecialchars($var,ENT_QUOTES);}

array_walk_recursive($_POST,'clean');
array_walk_recursive($_REQUEST,'clean');
array_walk_recursive($_GET,'clean');
//php 4 version array_walk($_POST,'clean');//
//php 4 version array_walk($_REQUEST,'clean');//
//php 4 version array_walk($_GET,'clean');//
?>

[darkfreaks]

Updated the function and output so it cleans GET an REQUEST form input. also you will have to call the array_walk_recursive() part of it on every page. if you want it to be cleaned without calling the actual function on every variable.