Lukeidiot Posted July 10, 2011 Share Posted July 10, 2011 Hey guys, I was recently told but one of my customers that their logs were getting stolen, and I am not sure if this is a brute force of the login, or maybe a mysql injection, or even session hijacking. User: phpfreaksdemo Pass: demopass Login: http://runescapesr.com/beta/index.php?goto=login Will reward anyone who find any possible vulnerabilities, paypal money. Ownership Verify: http://runescapesr.com/pro.txt Link to comment Share on other sites More sharing options...
cssfreakie Posted July 11, 2011 Share Posted July 11, 2011 as far as i can see you just use pretty standard forum software, which is thoroughly tested. Link to comment Share on other sites More sharing options...
Lukeidiot Posted July 11, 2011 Author Share Posted July 11, 2011 as far as i can see you just use pretty standard forum software, which is thoroughly tested. Oh sorry, I should have made this clear. I have integrated the forum registration to simultaneously create a "Beta Access" account. The URL for testing is located here: http://runescapesr.com/beta/ Everything at /beta/ has been hand coded by myself, and would like to know of its possible security flaws. Thanks! Link to comment Share on other sites More sharing options...
cssfreakie Posted July 11, 2011 Share Posted July 11, 2011 you should prevent directory traversal. as example: http://runescapesr.com/beta/?goto=../index.php suppress errors and log them in a file outside the root Link to comment Share on other sites More sharing options...
Recommended Posts