policosmos Posted May 3, 2007 Share Posted May 3, 2007 Hi, This has been my secret side project for a while. I'd like to launch it ASAP. Any suggestions, comments, etc. are welcome -- thanks in advance. http://www.policosmos.com If you don't want to register, use 'trial@policosmos.com' and 'password' ... just don't change the password, please! One thing I know of ... and if you could tell my why, you rock ... is in IE7, the background seems to be 1px off from the divs. It has faux columns, which don't line up with the graphics. Grrr. Um, I'm a PHP newbie, so anything you've got for me is a big help. Link to comment Share on other sites More sharing options...
john010117 Posted May 3, 2007 Share Posted May 3, 2007 I don't believe you are really protected from MySQL Injections. Read this article. Link to comment Share on other sites More sharing options...
policosmos Posted May 3, 2007 Author Share Posted May 3, 2007 I don't believe you are really protected from MySQL Injections. Read this article. Really? Why do you say that? Every input should go through that. Hm... ??? Link to comment Share on other sites More sharing options...
agentsteal Posted May 4, 2007 Share Posted May 4, 2007 Array: http://www.policosmos.com/citizenshall.php?start[] Array: http://www.policosmos.com/table.php?topic=0&start[] Array: http://www.policosmos.com/table.php?topic[] Cross Site Scripting: http://www.policosmos.com/addfriend.php?delete="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.policosmos.com/browse.php?show=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.policosmos.com/citizenshall.php?start=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.policosmos.com/cgi-sys/scgiwrap/<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.policosmos.com/endorse.php?delete="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.policosmos.com/phpinfo.php?<script>alert('vulnerable')</script> Cross Site Scripting: http://www.policosmos.com/submit_reg.php?email=<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if the issues section contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. Full Path Disclosure: http://www.policosmos.com/browse.php Full Path Disclosure: http://www.policosmos.com/citizenshall.php Full Path Disclosure: http://www.policosmos.com/cgi-sys/scgiwrap/ Full Path Disclosure: http://www.policosmos.com/phpinfo.php Full Path Disclosure: http://www.policosmos.com/table.php?topic=0&start[] Full Path Disclosure: http://www.policosmos.com/test.php Full Path Disclosure: There is Full Path Disclosure when you register. Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php: in /home/zeus/public_html/register.php on line 125 Full Path Disclosure: There is Full Path Disclosure if you upload an invalid avatar. Warning: getimagesize() [function.getimagesize]: Read error! in /home/zeus/public_html/addphoto.php on line 86 Warning: Division by zero in /home/zeus/public_html/addphoto.php on line 87 Warning: Division by zero in /home/zeus/public_html/addphoto.php on line 89 Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in /home/zeus/public_html/addphoto.php on line 93 Maximum Length: If you edit the input boxes when you register you can remove the maximum lengths. SQL Injection: http://www.policosmos.com/blog.php?delete=36 AND 1=1 http://www.policosmos.com/blog.php?delete=36 AND 1=2 SQL Injection: http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=1 http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=2 SQL Injection: http://www.policosmos.com/mail.php?delete=211 AND 1=1 http://www.policosmos.com/mail.php?delete=211 AND 1=2 User Enumeration: http://www.policosmos.com/~policosmos User Enumeration: http://www.policosmos.com/~root User Enumeration: http://www.policosmos.com/~zeus Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 I got this error message when I tried to register. It has full path disclosure: Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php: in /home/zeus/public_html/register.php on line 125 Thanks. I knew there were one or two of those flying around. I will turn error reporting off shortly. No worries. Link to comment Share on other sites More sharing options...
john010117 Posted May 4, 2007 Share Posted May 4, 2007 I got this error message when I tried to register. It has full path disclosure: Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php: in /home/zeus/public_html/register.php on line 125 Thanks. I knew there were one or two of those flying around. I will turn error reporting off shortly. No worries. If you turn it off, the registration might not work... Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 Agentsteal, you're awesome! Those last two shouldn't have been on the server. Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 You should block this page: http://www.policosmos.com/cgi-sys/scgiwrap It has both path disclosure and Cross Site Scripting. Forgive my ignorance, but how do I do that? I'm new to mangaging my own server. I'm used to just moving files with FTP, but that directory isn't even listed in my FTP program. Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 Ah, crap. I just realized I didn't set up PHP's mail function when I changed servers. Is that relatively easy to do? I'm going to go google it now. Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 When you register, it should filter tags. I entered code as my email address and the code runs on multiple pages (including the page after you register and the "Reset Password" page). Wow, really? Did you hide it in the xxx@xxx.xxx format? I go look at database. Link to comment Share on other sites More sharing options...
obsidian Posted May 4, 2007 Share Posted May 4, 2007 You also have some other files that probably shouldn't be accessible, too: log file here Link to comment Share on other sites More sharing options...
obsidian Posted May 4, 2007 Share Posted May 4, 2007 but actually you don't even need to register that way you can do it from the URL: http://www.policosmos.com/submit_reg.php?email=<marquee> and it's not just a problem with the email. If you enter code as your name, the whole site has xss problems once you log in. and everything you can edit in your profile has the same problem. Not only that, but filtering HTML tags is not enough in this case... I actually was able to register with the email address of: %3Cscript%3Ealert(document.cookie)%3C/script%3E@gmail.com This is the URL equivalent of a script tag. Strip tags won't pull it out, but when you echo it to the page, it will still parse as script. Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 Wow, I knew I was going to have security issues, but I didn't know it would be so easy. I was going to guess something like htmlspecialchars() would take care of any tags, but you've clearly demonstrated I've got my work cut out for my before this gets released to the big bad world. This is my first PHP project. I wanted something totally custom, so I just learned whatever I could. Joomla wasn't going to do it for me. Do you know of any great sites that are security specific? Link to comment Share on other sites More sharing options...
policosmos Posted May 4, 2007 Author Share Posted May 4, 2007 p.s. - Could you have gotten me banned from sending mail from this script to hotmail? First I thought the mail() function wasn't working, then I realized I was only having problems sending to my hotmail acct. Link to comment Share on other sites More sharing options...
obsidian Posted May 4, 2007 Share Posted May 4, 2007 Do you know of any great sites that are security specific? I would recommend anyone serious in learning web security to frequent the blog at http://ha.ckers.org Link to comment Share on other sites More sharing options...
s0c0 Posted May 5, 2007 Share Posted May 5, 2007 Dude I think the idea is pretty cool. I don't have time to really beta test it and give a full opinion on it yet, but I think it has potential for your political guru/geek crowed. Only tried with the trial account, will post later. Link to comment Share on other sites More sharing options...
policosmos Posted May 7, 2007 Author Share Posted May 7, 2007 Dude I think the idea is pretty cool. I don't have time to really beta test it and give a full opinion on it yet, but I think it has potential for your political guru/geek crowed. Only tried with the trial account, will post later. Thanks! I can't wait to get it done!!! Link to comment Share on other sites More sharing options...
policosmos Posted July 7, 2007 Author Share Posted July 7, 2007 UPDATE: After a few months on the back burner, I've been shoring up the site. Should have closed all the XSS holes. If anyone wants to come check out the site again and give me some feedback, I'd appreciate it! http://www.policosmos.com Test account is user: trial@policosmos.com / password: password Link to comment Share on other sites More sharing options...
policosmos Posted July 8, 2007 Author Share Posted July 8, 2007 Here's something serious: You have a Blind SQL Injection vulnerability. http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=1 http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=2 Let me see if it's exploitable and then I'll talk to you about it. Looks like you got into the DB ... am I right? BTW, agentsteal, you rock. If this thing ever gets big, I'll be sure to reward you Link to comment Share on other sites More sharing options...
policosmos Posted July 8, 2007 Author Share Posted July 8, 2007 Ack! I see why these XSS vulnerabilities are still there. Only cleaned stuff that goes to screen when it comes from DB. Have to go back and remove tags from GETs. Bleh. More work. :'( Link to comment Share on other sites More sharing options...
policosmos Posted July 8, 2007 Author Share Posted July 8, 2007 So putting those GETs in single quotes when they go to the query will take care of the injection issues, right? Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 http://www.php.net/manual/en/function.mysql-escape-string.php Link to comment Share on other sites More sharing options...
policosmos Posted July 8, 2007 Author Share Posted July 8, 2007 http://www.php.net/manual/en/function.mysql-escape-string.php Thanks, but how is mysql_real_escape_string() going to prevent this injection?: http://www.policosmos.com/blog.php?delete=36 AND 1=1 Link to comment Share on other sites More sharing options...
policosmos Posted July 11, 2007 Author Share Posted July 11, 2007 Okay yeah now I'm positive this is exploitable it definitely needs to be fixed... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users How is that query exploitable? When I run it, all it outputs is what it should. Or am I not seeing the result? Link to comment Share on other sites More sharing options...
policosmos Posted July 11, 2007 Author Share Posted July 11, 2007 Quote from: agentsteal on July 08, 2007, 01:46:43 PM Okay yeah now I'm positive this is exploitable it definitely needs to be fixed... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users How is that query exploitable? When I run it, all it outputs is what it should. Or am I not seeing the result? No all that page does is prove that there's a "users" table and that the column is "password". To actually get the passwords you need to use blind sql fishing, where you query the database one character at a time. But I didn't think you'd want me to do that... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users pretty much definitely means that users could query the db to get the passwords from the users table... so you should just fix it k K. Just asking. Trying to understand this side of it all. So ... I just noticed that despite me not having touched the registration script, registrations no longer work. The only thing I did was to upgrade from cPanel 10 to 11. I'm baffled. Everything looks fine in the browser, but it no longer adds users to the DB. WTF. Link to comment Share on other sites More sharing options...
Recommended Posts