SauloA Posted June 5, 2007 Share Posted June 5, 2007 I've recently completed my website using PHP and MySQL. During the development of my website I looked to PHPFreaks for some coding help and I say thanks. I was going to post my site for beta testing earlier but didn't feel is was suitable for viewing at the time. Now I feel that it is suitable for viewing and ask PHPFreaks to help with any errors, bug, glitches, and security issues, if any are present. There is something that I've been trying to figure out. I want to put the amount of posts in my forums but I'm unclear on what to do to count the posts and display that next to the forum title. Visit http://www.otakuwanted.com Link to comment Share on other sites More sharing options...
agentsteal Posted June 5, 2007 Share Posted June 5, 2007 Full Path Disclosure: There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value. Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/content/s/a/u/sauloa/html/index.php on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/s/a/u/sauloa/html/index.php:55) in /home/content/s/a/u/sauloa/html/index.php on line 55 Warning: session_regenerate_id(): Cannot send session cookie - headers already sent by (output started at /home/content/s/a/u/sauloa/html/index.php:55) in /home/content/s/a/u/sauloa/html/index.php on line 59 Session Fixation: http://www.otakuwanted.com/?PHPSESSID=vulnerable Link to comment Share on other sites More sharing options...
SauloA Posted June 5, 2007 Author Share Posted June 5, 2007 Hey agentsteal, How'd you get the error you posted? I don't understand the error. From what I can tell by your post you're saying that if there is no session id than the full path of the page is disclosed. What do you suggest I do? Link to comment Share on other sites More sharing options...
SauloA Posted June 5, 2007 Author Share Posted June 5, 2007 Hey agentsteal, I click on the link that you posted and it sends me directly to the home page. What browser are you using? Am I supposed get the same error you get by clicking on the link you posted? I'm not a PHP expert so you might have to explain things more to me. Link to comment Share on other sites More sharing options...
SauloA Posted June 5, 2007 Author Share Posted June 5, 2007 Okay I see the error now. I cleaned out my data and it's behind the homepage like you said. But, what exaclty does that error mean? Is that a security issue? Will that error only happen if you go to the with "?PHPSESSID"? Link to comment Share on other sites More sharing options...
SauloA Posted June 5, 2007 Author Share Posted June 5, 2007 That's good to know. How do I fix this issue? Link to comment Share on other sites More sharing options...
Recommended Posts