NEW Beta Video Script

phpflavor · May 15, 2009

Well this is a video script that I kinda threw together. Its still kinda in its alpha stage. But If I could get some info on it that would be awsome. also any errors flaws ect.. that I dont see. I made this off my linux box in the text file "gedit" I do not have a windows box so I hope it looks ok in ie I am pretty sure that there are some thing that dont show right in ie. Please tell me so i can fix.

http://phpflavor.com/forum/viewtopic.php?f=9&t=422&p=478#p478

that is where the script is for the download

Demo:

http://stagevid.net/index.php

Adam · May 18, 2009

Getting an error on the upload page:

Notice: Undefined variable: top_banner in /var/www/web10/web/ubr_file_upload.php on line 203

View count of videos never increase, they're always on 0.

On I think every page there's at least 1 empty box - generally just doesn't feel done at all.

On the "Videos" page, perhaps add a 'Search' label to the search form, just to make it a little clearer what it's for. Also on the videos / categories page, I think the user would prefer to read a description of the video more than when it was uploaded?

Also you might be better off improving your register e-mail, went straight to my spam folder - using Google mail.

Adam

phpflavor · May 18, 2009

Undefined variable: top_banner in /var/www/web10/web/ubr_file_upload.php on line 203

aww thought i deleted that for some reasone with the uber uploader It wont let me load my data in it lol.

and the views I have been trying to fix that but cant get the sql to work lol.

$id=$_GET['id'];
$sql3="SELECT * FROM videos WHERE id='$id'";
    $result3=mysql_query($sql3);
    $rows=mysql_fetch_array($result3);
    $Step1view=$rows['number_of_views'];
    // if have no counter value set counter = 1
  if ($Step1view == '0') {
    $Stepview=1;
    $sql4="UPDATE videos (`number_of_views`) VALUES('$Step1view') WHERE id='$id'";
    $result4=mysql_query($sql4);
    }
    // count more value
    $addview=$Step1view+1;
    $sql5="update videos set view='$addview' WHERE id='$id'";
    $result5=mysql_query($sql5);

lol I do agree the with the date thing but I dont know how to limit the numbers of letters from the sql so it show a little bit of the description. lol. But I just want to make a base structer script so that people can add to it with out haveing to worry about powered by xxxx. Thank you very much for the input I will work to try to fix those probs or errors . Thank you

phpflavor · May 18, 2009

generally just doesn't feel done at all.

yep it is still kinda in alpha stage.

Coreye · May 21, 2009

Cross Site Scripting (XSS):

http://stagevid.net/members.php

You can submit ">code when registering and it will execute on the members page.

Full Path Disclosure:

http://stagevid.net/view_member.php

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/web10/web/view_member.php on line 24

Full Path Disclosure:

http://stagevid.net/view_video.php?id=88

Warning: Can't open movie file /var/www/web10/web/uploads/sd/pIcvDc-RMjg in /var/www/web10/web/view_video.php on line 45

Fatal error: Call to a member function getDuration() on a non-object in /var/www/web10/web/view_video.php on line 46

Description:

http://www.owasp.org/index.php/Full_Path_Disclosure

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm

A remote user can determine the full path to the web root directory and other potentially sensitive information.

darkfreaks · May 21, 2009

i have included an example on how to use MYSQLI prepared statements this wll help alot

<?php
$db = new mysqli('localhost','user','pass','db');
$id=$_GET['id'];
$sql3=$db->prepare("SELECT * FROM videos WHERE id='?'");
$sql3->bind_param('i',$id);
$result= $sql3->execute();
$rows=$result->fetch_assoc();
    $Step1view=$rows['number_of_views'];
    // if have no counter value set counter = 1
  if ($Step1view == '0') {
    $Stepview=1;
    $sql4=$db->prepare("UPDATE videos (`number_of_views`) VALUES('?') WHERE id='?'");
    $sql4->bind_param('si',$Step1view,$id);
    $sql4->execute();
    }
    // count more value
    $addview=$Step1view+1;
    $sql5=$db->prepare("update videos set view='?' WHERE id='?'");
    $sql5->bind_param('si',$addview,$id);
    $sql5->execute();
?>

phpflavor · May 22, 2009

Full Path Disclosure:
http://stagevid.net/view_member.php

Quote

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/web10/web/view_member.php on line 24

Full Path Disclosure:

http://stagevid.net/view_video.php?id=88

Quote

Warning: Can't open movie file /var/www/web10/web/uploads/sd/pIcvDc-RMjg in /var/www/web10/web/view_video.php on line 45

Fatal error: Call to a member function getDuration() on a non-object in /var/www/web10/web/view_video.php on line 46

k I got that fixed still working on the signup. Hey thatnk you very much I also updated the admin zone to the delete.php file.

thank you very much

phpflavor · May 22, 2009

i have included an example on how to use MYSQLI prepared statements this wll help alot

<?php
$db = new mysqli('localhost','user','pass','db');
$id=$_GET['id'];
$sql3=$db->prepare("SELECT * FROM videos WHERE id='?'");
$sql3->bind_param('i',$id);
$result= $sql3->execute();
$rows=$result->fetch_assoc();
    $Step1view=$rows['number_of_views'];
    // if have no counter value set counter = 1
  if ($Step1view == '0') {
    $Stepview=1;
    $sql4=$db->prepare("UPDATE videos (`number_of_views`) VALUES('?') WHERE id='?'");
    $sql4->bind_param('si',$Step1view,$id);
    $sql4->execute();
    }
    // count more value
    $addview=$Step1view+1;
    $sql5=$db->prepare("update videos set view='?' WHERE id='?'");
    $sql5->bind_param('si',$addview,$id);
    $sql5->execute();
?>

hey thank you very much I will try messing with that tonight

phpflavor · May 27, 2009

k well I have updated the sign up for the username and the number views on view_video.

darkfreaks · May 28, 2009

much better i found nothing on those pages now

you got a test login so we can see the inside ???

darkfreaks · May 28, 2009

Warning: simplexml_load_file(http://gdata.youtube.com/feeds/api/videos?vq=&max-results=10&start-index=1) [function.simplexml-load-file]: failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request in /var/www/web10/web/search.php on line 152

Warning: simplexml_load_file() [function.simplexml-load-file]: I/O warning : failed to load external entity "http://gdata.youtube.com/feeds/api/videos?vq=&max-results=10&start-index=1" in /var/www/web10/web/search.php on line 152

Fatal error: Call to a member function children() on a non-object in /var/www/web10/web/search.php on line 155

phpflavor · May 28, 2009

I acidentaly deleted the post so here the new link to the post

http://phpflavor.com/forum/viewtopic.php?f=9&t=518

Insert Quote
much better i found nothing on those pages now

you got a test login so we can see the inside ???

hey ty man

Warning: simplexml_load_file(http://gdata.youtube.com/feeds/api/videos?vq=&max-results=10&start-index=1) [function.simplexml-load-file]: failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request in /var/www/web10/web/search.php on line 152

Warning: simplexml_load_file() [function.simplexml-load-file]: I/O warning : failed to load external entity "http://gdata.youtube.com/feeds/api/videos?vq=&max-results=10&start-index=1" in /var/www/web10/web/search.php on line 152

Fatal error: Call to a member function children() on a non-object in /var/www/web10/web/search.php on line 155

do you think that this could be with youtube apis I tried to get the same error but i could not some times I think this is because I use a linux. I dont use windows so sometimes i cant get the same errors.

user: test

pass: test

Hey thank you very much for the help man thank you every body.

phpflavor · May 28, 2009

aww k i see where the error is hey ty Ill have to fig that out ty man.

darkfreaks · May 28, 2009

Also:

Notice: Undefined variable: top_banner in /var/www/web10/web/ubr_file_upload.php on line 203

darkfreaks · June 6, 2009

Attack Details:

* HTTP Method: SECCOMP

The attacked page is dangerously similar to the original page. It is 99.029% similar. Got access to a resource that should be protected. Server response code: 200 OK

Attack Details:

* Input Parameter: PHPSESSID

The attacked page is dangerously similar to the original page. It is 98.22% similar. Got access to a resource that should be protected. Server response code: 200 OK.

Attack Details:

* HTTP Method: HEAD

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.222% similar.

phpflavor · June 8, 2009

Attack Details:

* HTTP Method: SECCOMP

The attacked page is dangerously similar to the original page. It is 99.029% similar. Got access to a resource that should be protected. Server response code: 200 OK

Attack Details:

* Input Parameter: PHPSESSID

The attacked page is dangerously similar to the original page. It is 98.22% similar. Got access to a resource that should be protected. Server response code: 200 OK.

Attack Details:

* HTTP Method: HEAD

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.222% similar.

K wow How would I go about fixing this ? ???

Thank you very much

phpflavor · June 8, 2009

Are you say that I need to find a better way to control my sesson id ?

darkfreaks · June 8, 2009

Preventing HTTP HEAD in htaccess

phpflavor · June 9, 2009

ty you very much man

darkfreaks · June 9, 2009

1.) It is the Access me Firefox Add on by Security Compass.

2.) Explanation of HTTP Methods

jiffyspop · July 22, 2010

K well I do belive I fixed most of it the new alpha script is out on http://stagevid.com

http://phpflavor.com is where u can down load it

darkfreaks · October 8, 2010

Failures:0[fixed]

Warnings:385

unamed form::keyword

unamed form::type

unamed form::lang

unamed form::switch

unamed form::Search

Fix: use functions such as strip_tags(),htmlentities() to help strip out XSS parameters. also using a library like http://htmlpurifier.org/ to Validate Html and weed out XSS.

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/stagevid/public_html/admin/configs/master.php on line 172 on activate.php

Access me Results:

Failures:6 [header method]

Fix: Mod Security [install on server or access with web host]

Sign In

NEW Beta Video Script

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information