Jump to content

Trying to squeeze out the bugs ... PoliCosmos.com


Recommended Posts

Hi,

 

This has been my secret side project for a while.  I'd like to launch it ASAP.  Any suggestions, comments, etc. are welcome -- thanks in advance.

 

http://www.policosmos.com

 

If you don't want to register, use 'trial@policosmos.com' and 'password' ... just don't change the password, please!

 

One thing I know of ... and if you could tell my why, you rock ... is in IE7, the background seems to be 1px off from the divs.  It has faux columns, which don't line up with the graphics.  Grrr.

 

Um, I'm a PHP newbie, so anything you've got for me is a big help.

 

;D

Link to comment
Share on other sites

Array:

http://www.policosmos.com/citizenshall.php?start[]

 

Array:

http://www.policosmos.com/table.php?topic=0&start[]

 

Array:

http://www.policosmos.com/table.php?topic[]

 

Cross Site Scripting:

http://www.policosmos.com/addfriend.php?delete="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.policosmos.com/browse.php?show=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.policosmos.com/citizenshall.php?start=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.policosmos.com/cgi-sys/scgiwrap/<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.policosmos.com/endorse.php?delete="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.policosmos.com/phpinfo.php?<script>alert('vulnerable')</script>

 

Cross Site Scripting:

http://www.policosmos.com/submit_reg.php?email=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if the issues section contains code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Full Path Disclosure:

http://www.policosmos.com/browse.php

 

Full Path Disclosure:

http://www.policosmos.com/citizenshall.php

 

Full Path Disclosure:

http://www.policosmos.com/cgi-sys/scgiwrap/

 

Full Path Disclosure:

http://www.policosmos.com/phpinfo.php

 

Full Path Disclosure:

http://www.policosmos.com/table.php?topic=0&start[]

 

Full Path Disclosure:

http://www.policosmos.com/test.php

 

Full Path Disclosure:

There is Full Path Disclosure when you register.

Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php:8) in /home/zeus/public_html/register.php on line 125

 

Full Path Disclosure:

There is Full Path Disclosure if you upload an invalid avatar.

Warning: getimagesize() [function.getimagesize]: Read error! in /home/zeus/public_html/addphoto.php on line 86

 

Warning: Division by zero in /home/zeus/public_html/addphoto.php on line 87

 

Warning: Division by zero in /home/zeus/public_html/addphoto.php on line 89

 

Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in /home/zeus/public_html/addphoto.php on line 93

 

Maximum Length:

If you edit the input boxes when you register you can remove the maximum lengths.

 

SQL Injection:

http://www.policosmos.com/blog.php?delete=36 AND 1=1

http://www.policosmos.com/blog.php?delete=36 AND 1=2

 

SQL Injection:

http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=1

http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=2

 

SQL Injection:

http://www.policosmos.com/mail.php?delete=211 AND 1=1

http://www.policosmos.com/mail.php?delete=211 AND 1=2

 

User Enumeration:

http://www.policosmos.com/~policosmos

 

User Enumeration:

http://www.policosmos.com/~root

 

User Enumeration:

http://www.policosmos.com/~zeus

Link to comment
Share on other sites

I got this error message when I tried to register. It has full path disclosure:

Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php:8) in /home/zeus/public_html/register.php on line 125

 

Thanks.  I knew there were one or two of those flying around.  I will turn error reporting off shortly.  No worries.  ;)

Link to comment
Share on other sites

I got this error message when I tried to register. It has full path disclosure:

Warning: Cannot modify header information - headers already sent by (output started at /home/zeus/public_html/register.php:8) in /home/zeus/public_html/register.php on line 125

 

Thanks.  I knew there were one or two of those flying around.  I will turn error reporting off shortly.  No worries.  ;)

 

If you turn it off, the registration might not work...

Link to comment
Share on other sites

When you register, it should filter tags. I entered code as my email address and the code runs on multiple pages (including the page after you register and the "Reset Password" page).

 

Wow, really?  Did you hide it in the xxx@xxx.xxx format?  I go look at database.

Link to comment
Share on other sites

but actually you don't even need to register that way you can do it from the URL:

http://www.policosmos.com/submit_reg.php?email=<marquee>

 

and it's not just a problem with the email. If you enter code as your name, the whole site has xss problems once you log in. and everything you can edit in your profile has the same problem.

 

Not only that, but filtering HTML tags is not enough in this case... I actually was able to register with the email address of:

%3Cscript%3Ealert(document.cookie)%3C/script%3E@gmail.com

 

This is the URL equivalent of a script tag. Strip tags won't pull it out, but when you echo it to the page, it will still parse as script.

Link to comment
Share on other sites

Wow, I knew I was going to have security issues, but I didn't know it would be so easy.  I was going to guess something like htmlspecialchars() would take care of any tags, but you've clearly demonstrated I've got my work cut out for my before this gets released to the big bad world.   :o

 

This is my first PHP project.  I wanted something totally custom, so I just learned whatever I could.  Joomla wasn't going to do it for me.  Do you know of any great sites that are security specific?

Link to comment
Share on other sites

Dude I think the idea is pretty cool.  I don't have time to really beta test it and give a full opinion on it yet, but I think it has potential for your political guru/geek crowed.  Only tried with the trial account, will post later.

Link to comment
Share on other sites

Dude I think the idea is pretty cool.  I don't have time to really beta test it and give a full opinion on it yet, but I think it has potential for your political guru/geek crowed.  Only tried with the trial account, will post later.

 

Thanks!  I can't wait to get it done!!!  :)

Link to comment
Share on other sites

  • 2 months later...

Here's something serious:

You have a Blind SQL Injection vulnerability.

http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=1

http://www.policosmos.com/browse.php?find=endorsements&user=107 AND 1=2

 

Let me see if it's exploitable and then I'll talk to you about it.

 

 

Looks like you got into the DB ... am I right?

 

BTW, agentsteal, you rock.  If this thing ever gets big, I'll be sure to reward you  :D

Link to comment
Share on other sites

Quote from: agentsteal on July 08, 2007, 01:46:43 PM

Okay yeah now I'm positive this is exploitable it definitely needs to be fixed...

http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users

 

How is that query exploitable?  When I run it, all it outputs is what it should.  Or am I not seeing the result?

 

No all that page does is prove that there's a "users" table and that the column is "password". To actually get the passwords you need to use blind sql fishing, where you query the database one character at a time. But I didn't think you'd want me to do that... http://www.policosmos.com/mail.php?delete=211 UNION ALL SELECT password FROM users pretty much definitely means that users could query the db to get the passwords from the users table... so you should just fix it k

 

K.  Just asking.  Trying to understand this side of it all.

 

So ... I just noticed that despite me not having touched the registration script, registrations no longer work.  The only thing I did was to upgrade from cPanel 10 to 11.  I'm baffled.  Everything looks fine in the browser, but it no longer adds users to the DB.  WTF.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.