Security Test

[corbin]

Validation link: http://bid4tackle.com/phpfreaks.txt

 

 

Hello, at the request of someone for whom I'm doing some work, I'm posting this.

 

 

Anyway, I would appreciate very much if someone could look at http://bid4tackle.com/ and see if any security exploits are there.  Feel free to note any oddities, errors, UI quirks and so on, but the person who asked me to post this was mainly concerned with security.

[darkfreaks]

Main page:

XSS: 26 failures

DOM was modified by attack string. Field appears to be very vulnerable to XSS String.

Tested value: <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>

DOM was modified by attack string. Field appears to be very vulnerable to XSS String.

Tested value: <a href="about:<script>document.vulnerable=true;</script>">

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <![CDATA[<!--]]<script>document.vulnerable=true;//--></script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <<script>document.vulnerable=true;</script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <style><!--</style><script>document.vulnerable=true;//--></script>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></OBJECT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <BODY ONLOAD=document.vulnerable=true;>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: </TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT>

The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string.

Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT>

 

[corbin]

Hrmmm...  Thanks!

 

 

Not sure why, but I had it in my head that the previous developer had made sure XSS wasn't possible.  Just looked at the code, and I've no idea why I thought that.  Not an htmlentities() in sight()....  lol.

 

 

 

 

Oh, by the way, I hate when people post sites but don't do a username/password, so if anyone wants to login:

 

user: phpfreaks

pass: freaks111

[darkfreaks]

thanks man  i also hate it when people dont paste login's and expect someone ot beta test only the login  :-\

[darkfreaks]

just a suggestion but you might want to look at using htmlspecialchars() ,trim() ,strip_tags() ,to stop XSS 

[corbin]

Yeah....  I know how to stop it.  The problem was that I basically forgot to look for it.  I was super focused on SQL injection hehe.

[darkfreaks]

yeah you stopped that i see

 

 

[darkfreaks]

Attack Details:

 

    * HTTP Method: SECCOMP

 

The attacked page is dangerously similar to the original page. It is 100% similar. Got access to a resource that should be protected. Server response code: 200 OK.

 

Attack Details:

 

    * Input Parameter: PHPSESSID

 

The attacked page is dangerously similar to the original page. It is 99.477% similar. Got access to a resource that should be protected. Server response code: 200 OK.

 

 

Attack Details:

 

    * HTTP Method: HEAD

 

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.222% similar.

[Daniel0]

Rules Regarding "Exploit Scanners"

 

Use of exploit scanners can be an effective way to discover exploits on a website, so we have no intention of banning posting scanner results. But these scanners can also return bogus results.

 

Secondly: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.

 

As of now, posting scanner results is only allowed under the following conditions:

 

1) You must share the name and how to get the scanner

2) You absolutely MUST explain every item in the result (why is this a risk, not just because the scanner says so)

[darkfreaks]

yeah i figured this would come back to haunt me

 

1.) It is the Access me Firefox Add on by Security Compass.

2.) Explanation of HTTP Methods

[pouncer330]

Hmmm.. I've never run my site through a security scanner before, it gave some interesting results:

 

I received 1 failure, 3 warnings, and 1 pass...

 

---

Attack Details:

 

    * HTTP Method: SECCOMP

 

The attacked page is dangerously similar to the original page. It is 100% similar. Got access to a resource that should be protected. Server response code: 200 OK.

----

 

 

Attack Details:

 

    * HTTP Method: HEAD

 

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.561% similar.

---

 

:: Cookie + Http Method

Attack Details:

 

    * Input Parameter: PHPSESSID

    * HTTP Method: SECCOMP

 

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 57.391% similar.

 

----

:: Cookie + Http Method

Attack Details:

 

    * Input Parameter: PHPSESSID

    * HTTP Method: HEAD

 

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.561% similar.

 

----

:: Cookie

Attack Details:

 

    * Input Parameter: PHPSESSID

 

Did not access protected resource. Server response code: 403 Forbidden. The attacked page is not very similar to the original page. It is 13.615% similar.

 

--------------------

 

No idea how to fix these... can someone give me some pointers?

[darkfreaks]

should really read my above post man it explains it

[corbin]

I'm back!  lol.

 

 

Anyway, I think I've fixed all of the XSS spots.  I would appreciate it if someone would go through and try to XSS exploit or SQL inject fields.

[darkfreaks]

SQL works great. your XSS filtering needs improving. its not getting it all(at least on your search)

 

this is what XSS ME picks up

 

Failures:4

Warnings:156

Passes:150

Fields Prone to XSS:Search

[MadTechie]

you may want to turn off error reporting

 

Advanced search price from and to

Set txtpricedfrom or txtpricedto

to

\" or '

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/bid4tackle.com/httpdocs/search.php on line 118

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/bid4tackle.com/httpdocs/search.php on line 122

 

Also I'm not sure if this is a test server or what but if you using it for payments then your server needs upgrading

 

for example

Your server is using  SSL 2.0.. upgrade to 3 as 2.0 is weak, here a PDF paper for more info

Also it wouldn't hurt to update PHP to the latest as well

 

signin.php

the password field allows auto complete that's not generally recommended

Add:

AUTOCOMPLETE="off"

 

 

[corbin]

Thank you both!

 

 

you may want to turn off error reporting

 

 

Ooo!  Glad you pointed that out...  I had it turned on in one of the main includes because I was trying to find something last night, and then I forgot to turn it off.  (Yeah, I should always have it on when developing, but some of the original coding throws warnings out the wazoo.)

 

 

"Also I'm not sure if this is a test server or what but if you using it for payments then your server needs upgrading

 

for example

Your server is using  SSL 2.0.. upgrade to 3 as 2.0 is weak, here a PDF paper for more info

Also it wouldn't hurt to update PHP to the latest as well"

 

I will suggest that to the owner of the site and see what he thinks.  To be honest, I had never even looked at any of the SSL stuff since I've just been doing everything without SSL so far.  (Technically Paypal will be handling all of the payments, but SSL being updated would still be good.)

 

Yeah, PHP 5.1.2 is pretty old too, as is Apache 2.0.55 (and I didn't notice before, but in the HTTP headers, Apache says which distro it's running on haha.)

 

SQL works great. your XSS filtering needs improving. its not getting it all(at least on your search)

 

this is what XSS ME picks up

 

Failures:4

Warnings:156

Passes:150

Fields Prone to XSS:Search

 

 

Oh, I forgot to mention, I plan to do some work on the search page, so I haven't done it yet until the final HTML and what not is done (well, as I do it).  On second thought though, perhaps I should go ahead and fix it just so I don't chance missing something later.

 

 

 

 

Blerh......  I swear I don't suck at coding haha...  It's easier to secure something as coding it than to go back and try to make something secure.  lol.

 

 

(As for the server software being outdated thing, in all honest I've been focusing on the PHP files so much, I never thought to check any of the versions once I saw PHP 5.)

 

 

 

 

Edit:  Hrmmm....  I think I'mma go get XSS me now haha.

[MadTechie]

Some more

 

http://bid4tackle.com/stats/ <-- nice states

 

http://bid4tackle.com/admin/test.php  <-- may want to remove this

 

More error reporting still but if your like me, your want to fix and not just hide them

 

http://bid4tackle.com/view_full_size.php

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/bid4tackle.com/httpdocs/view_full_size.php on line 38

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/bid4tackle.com/httpdocs/view_full_size.php on line 39

 

 

http://bid4tackle.com/sellers_othersitem.php?seller_id=23

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/bid4tackle.com/httpdocs/templates/search_list_view.tpl on line 12

[corbin]

Some more

http://bid4tackle.com/stats/ <-- nice states

http://bid4tackle.com/admin/test.php  <-- may want to remove this

 

 

Hrmmm, didn't know there even was a stats page haha.

 

As for the admin page, I had never even looked in that folder before lol....  Guess I should have.

 

Hrmmm I shall fix those errors and look for any others too...