Jump to content

Test for vulnerabilities, please.

MySQL_Narb

By MySQL_Narb
in Beta Test Your Stuff!

 Share

Recommended Posts

MySQL_Narb Regular Member

MySQL_Narb

Posted
Posted

SITE: http://www.osremake.org

VERIFICATION: http://www.osremake.org/phpfreaks.txt

 

I rewrote my whole website, and I wanted to be sure my site is secure from injection and XSS. This would be greatly appreciated. I switched to PDO and I want to double check everything is working good.

Link to comment
https://forums.phpfreaks.com/topic/265028-test-for-vulnerabilities-please/
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

seems there is a leak in projects.php you can use execute array to bind everything

 

secure example:

$oDB=new PDO('... your connection details... ');
$hStmt=$oDB->prepare("select name, age from users where userid=:userid");
$hStmt->execute(array(':userid',$nUserID));

 

 

 

 

 

 

 

 

MySQL_Narb Regular Member

MySQL_Narb

Posted
  • Author
Posted

seems there is a leak in projects.php you can use execute array to bind everything

 

secure example:

$oDB=new PDO('... your connection details... ');
$hStmt=$oDB->prepare("select name, age from users where userid=:userid");
$hStmt->execute(array(':userid',$nUserID));

 

May I ask what you're talking about? I already use PDO and I don't know of a projects.php file.

MySQL_Narb Regular Member

MySQL_Narb

Posted
  • Author
Posted

sorry was running the tests on two different sites must have been a mix up my apology. anyhow you have cross site scripting (XSS) on viewthread.php

on variable unnamed form:forum

 

 

i would recommend using strip_tags or filter_var

 

Can you post proof of this? o.O

 

I've got all HTML disabled using htmlentities(). Only administrators are allowed to use HTML.

 

GSeC

darkfreaks Advanced Member

darkfreaks

Posted
Posted

it's not the reply page that was tested it was the pagination. it is what is vulnerable the box  with the page number in it.

 

 

it passed for the most part however it is still vulnerable to <script> </script> tags

 

 

however i suggest you use  something like this to strip the script tags

 

 

$html = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $html);

 

 

 

MySQL_Narb Regular Member

MySQL_Narb

Posted
  • Author
Posted

Edit: I'm assuming you guys meant something like: viewthread.php?forum=" />3&id=711

 

If so, I've fixed that.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I'm not sure what you guys are referring to, but I found this vulnerability:

 

GYA1

 

Is that what you're referring to? If so, ctype_digit() wouldn't be useful at all in this situation.

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

This script is possibly vulnerable to SQL Injection attacks.

 

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.

 

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

This vulnerability affects /news/index.php.

Discovered by: Scripting (Sql_Injection.script).

The impact of this vulnerability

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

 

Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.

 

Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

 

Attack details

URL encoded GET input page was set to ##xa7

Error message found:

You have an error in your SQL syntax

Solution: fix syntax error in mysql and use mysql_real_escape_string or PDO

 

 

 

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Affected items

/news/index.php

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

How to fix this vulnerability

Your script should filter metacharacters from user input. (IE strip_tags , filter_var )

 

 

Login page password-guessing attack

Vulnerability description

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.

 

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem.

Affected items

/login.php

The impact of this vulnerability

An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works.

 

How to fix this vulnerability

It's recommended to implement some type of account lockout after a defined number of incorrect password attempts

 

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.