Beta Test - new live chat system

[Wireless102]

Hello all,

 

I have a new live chat system that is ready to be used, I would like for anyone who could to try it out.

It has a lot of features in it and for me it has been very reliable, but i would like to hear what other

users think about it. Any bugs or things that just dont work right you can submit them right from inside the

system ("Support" link in the admin section).

 

The beta test of this software is a hosted version so you dont have to download and install anything,

just click this link http://www.nixme.com/livechat/clicktrack/index.php?id=08c6e1b50d06 and

enter your information and you will be sent a link to login with and begin using it. As you can see from

the link to it the system has a click tracking option in it.

 

There are still a few thing that need fine tuning but in all i think that it is a fully working system.

The website it is on is no where near complete, so if you click a link there it probably will be a dead link.

 

Once you have signed up there is a small help file in the admin area, just click the "Quick Start"

link in the menu after you login.  I will be adding a lot more to it in the coming days.

 

So anybody that would, sign up and let me know how it works out for you. I would like to

hear that it works great but even better would be to find any bugs that i dont know about and

fix them.

 

Thanks

 

Donald

 

 

 

 

[agentsteal]

Array:

http://www.nixme.com/client/bnixmedemo/admin/removetracking.php?ad_name[]

 

Array:

http://www.nixme.com/client/bnixmedemo/js/monitor-new.php?ref[]

 

CAPTCHA:

You can register multiple times with the same CAPTCHA.

 

Cross Site Scripting:

http://www.nixme.com/cgi-sys/scgiwrap/<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/client/b_testing/admin/index.php?reason=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/client/b_testing/admin/removeadmin.php?userid=4&username="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/client/b_testing/admin/removedept.php?deptid=2&dept_name=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/livechat/client-ndb.php/"><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/livechat/js/monitor-new.php?deptid=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.nixme.com/livechat/leave-a-message.php/"><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.nixme.com/client/b_testing/admin/options.php if the options contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.nixme.com/client/b_testing/admin/repdetails.php if your password contains ")'>code.

 

Cross Site Scripting:

There is Cross Site Scripting on the Administrators page.

 

Cross Site Scripting:

There is Cross Site Scripting on the Chat Representative page.

 

Cross Site Scripting:

There is Cross Site Scripting on the Click Tracking page if the Campaign Name contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on the Click Tracking page if the Landing Page contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on the Departments page.

 

Cross Site Scripting:

There is Cross Site Scripting on the Remove Tracking Link page if the Campaign Name contains %3Ccode%3E.

 

Cross Site Scripting:

There is Cross Site Scripting on the Show Click Tracking Referrers page if a referrer contains code.

 

Directory Transversal:

There is Directory Transversal if the Landing Page contains ../

 

Drop Down Menu:

If you edit the drop down menu on http://www.nixme.com/client/b_testing/admin/code-generator.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menus on http://www.nixme.com/client/b_testing/admin/options.php you can submit arbitrary values.

 

Full Path Disclosure:

http://www.nixme.com/cgi-sys/scgiwrap/

 

Full Path Disclosure:

http://www.nixme.com/client/b_testing/admin-files/admin_users.php?deptid=admin

Warning: touch() [function.touch]: Utime failed: Permission denied in /home/nixmev/public_html/client/b_testing/admin-files/admin_users.php on line 7

 

Full Path Disclosure:

http://www.nixme.com/client/b_testing/admin-files/proactive.php

Warning: fopen(../chat-logs/proactive.txt) [function.fopen]: failed to open stream: Permission denied in /home/nixmev/public_html/client/b_testing/admin-files/proactive.php on line 3

 

Full Path Disclosure:

http://www.nixme.com/client/b_testing/admin/code-generator.php

Fatal error: Cannot redeclare class verify_departments in /home/nixmev/public_html/client/b_testing/admin/code-generator.php on line 6

 

Full Path Disclosure:

http://www.nixme.com/client/btesting5/admin/delete-message.php?id='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/nixmev/public_html/client/btesting5/admin/delete-message.php on line 9

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\\'' at line 1

 

Full Path Disclosure:

http://www.nixme.com/client/btesting4/admin/referrers.php

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/nixmev/public_html/client/btesting4/admin/referrers.php on line 17

 

Full Path Disclosure:

http://www.nixme.com/client/bnixmedemo/admin/removeadmin.php?username[]

 

Full Path Disclosure:

http://www.nixme.com/client/bnixmedemo/admin/removedept.php?deptid=2&dept_name[]

 

Full Path Disclosure:

http://www.nixme.com/client/b_testing/admin/repdetails.php

Warning: Invalid argument supplied for foreach() in /home/nixmev/public_html/client/b_testing/admin/repdetails.php on line 41

 

Full Path Disclosure:

http://www.nixme.com/client/bnixmedemo/admin/repdetails.php?userid[]

 

Full Path Disclosure:

http://www.nixme.com/client/btesting5/admin/reply-to-message.php?id='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/nixmev/public_html/client/btesting5/admin/reply-to-message.php on line 12

 

Full Path Disclosure:

http://www.nixme.com/client/btesting4/admin/veiw-transcripts.php?chatid='

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/nixmev/public_html/client/btesting4/admin/veiw-transcripts.php on line 35

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/nixmev/public_html/client/btesting4/admin/veiw-transcripts.php on line 37

 

Full Path Disclosure:

http://www.nixme.com/livechat/get_admin_active.php

 

Includes Directory:

http://www.nixme.com/client/

 

Log:

http://www.nixme.com/livechat/chat-logs/

 

SQL Dump:

http://www.nixme.com/~nobody

 

SQL Error:

http://www.nixme.com/client/btesting4/js/monitor-new.php?ref='

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1

 

SQL Error:

There is an SQL Error on http://www.nixme.com/client/b_testing/admin/options.php if the input boxes contain '

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' , `company_city` = '\' , `company_state` = '\' , `company_zipcode` = '\' , `c' at line 1

 

User Enumeration:

http://www.nixme.com/~donald

 

User Enumeration:

http://www.nixme.com/~nixmev

 

User Enumeration:

http://www.nixme.com/~nobody

[Wireless102]

this is great, thanks guys i will work on these things right away

 

as for the google ads page, yea that is interesting it is a page i done a while back checking google ads

[Wireless102]

I took the site offline while i fix there errors

 

thanks

[Wireless102]

I have fixed all problems listed and a few more that i found, which im sure all of them are not gone yet.

but anyone that would sign up and try it out. let me know if you get any problems with that process

and how it works for you

[Wireless102]

I seen a lot of those pages have to be fixed also, i have been uploading some new files to the admin sections tonight as well.

 

i put the files where you had to login to see them last on the list to fix.

 

edited: typo

[Wireless102]

I killed your install for a minute while i changed some stuff, it is back going now if you log in

 

you have been really helpful

[Wireless102]

lol na, i have fixed all the errors you found and posted here

i am going to keep looking for any more

[Wireless102]

i sent you a pm back about that, the problem was the user ~nobody has a home dir of "/" and inside the dir / was a folder public_html.

thats the reason it got there, in cpanel you can disable the ~username for all users except nobody. i was almost in a panic about that one.

i deleted the site off the server to try and fix it before i knew what was going on and the problem was still there. i talked with cpanel about 5 times also and we couldnt figure it out. but finally i looked at the where the home dir of nobody was and found the file. it probably come from a bad command line file copy.

on the errors i like to get them asap, dont have to worry with it later. i have spent about a month writing this and it is finally working

and i dont want to have to deal with security later.

[Wireless102]

hmm, ok i thought i had taken care of them... i will go back and look some more

[Wireless102]

yea, i see that, spaces really mess with that link. lol i will have to do something about that also

 

what admin pages specifically are you talking about?

[Wireless102]

its still doing that?, i tried it just now in that page and it would not do it. i uploaded new files to the server

recently

[Wireless102]

ah never mind, you are using a different install than i updated your files

i updated the "b_testingt" users files

[Wireless102]

ok now your install has all new files in it

[Wireless102]

k got that one also

[Wireless102]

thats a good one, i pretty much didnt do anything with those values

i will have to set it up to screen those as well.

 

and your right about people not fixing stuff, i just went through some old post and still found alot of the

errors discovered are still there

[Wireless102]

it makes it easy to fix when you wrote it all from nothing, you know where everything is at lol

 

thanks

 

later

[Wireless102]

still have not fixed the options thing but the last 2 are done.

[Wireless102]

fixed the options hole, along with a few more.

if you leave your window open the monitor will time out in about 1 hour, instead of checking all night.

 

I think you are checking that now, after you refresh you will get the new monitor file and the script will timeout

instead of running all night like it is now

 

also made the monitor images appear instantly instead of a delay on the load of the online or offline image.

 

let me know if you see anything else...

[Wireless102]

i didnt update your files again, i will do that now

 

 

edit: Done

[Wireless102]

also if you have the firefox web developer toolbar you can convert selects to textboxes and do it that way if they are not filtered

[Wireless102]

the code generator is fixed, i am going to have to spend a few minutes on the chat reps page, it was a pain to begin with lol

 

it works about half the time, maybe ive been up to long...

 

 

[Wireless102]

 

Wow thanks that's an amazing add-on how do u know about all these things?

 

when you spend all day on the pc coding either for your self or someone else it seems

i just find things like that, especially being self taught i look for things to help me out.

besides golf i spend most of my time here (on the pc)

 

[Wireless102]

on the chat rep details page once you click to add or remove a dept all of the data is being lost in the transfer somewhere

 

hover over the "remove users" link and you will see that there is no userid

[Wireless102]

try the chat rep again, i updated you files for it.

 

i cant get it to error out on me now

 

 

edit: now it is allowing XSS give me a few more mins