.Stealth Posted June 24, 2007 Share Posted June 24, 2007 Hello, im looking for a couple of testers for my site. Ive just about finished it, i only need to do the feedback form now and thats not really important. im looking for any main security issues, this is my first complete script and ive been working on it for a week non stop, ive used every security technique i know so any issues you find will help me in my php quest. its a client area for my web design site with the features: support tickets profile management i just want to make sure that nobody could hack my site if they tried, since the site is aimed at people not so clued up about the internet its not really an issue but its better to be safe than sorry. because of the people its aimed at, i have implemented a registration system where the user will need a key from me to register as i dont want people registering willy nilly, i just want it for my clients. so, im just asking a few of you to try and attack my site, aswell as use it how its meant to be used, i don't want you attacking it so that my host goes mad at me and takes me to court because his server blew up in his face lol, just nice things that wont delete any databases. just maybe try a few techniques used by people today. to register you will need login keys, here are four, once one is used it cant be used anymore so if other people want a go, let me know and i'll generate a few more for you. b51277f8bbbe1711f3f9b1cde38da157 c354ecb0ba520ed4d1f0f84c9145ba73 ca400e1efc0fd4b891af25a7f4d9e66b e46079f79bf0904d6202f822127b5b12 my admin section is hidden so maybe see if you can track it down and try and login. thats about it, thanks for any help ohh and the url lol, silly me: http://streamline-creations.co.uk/beta/client_area you will need this one to sign up: http://www.streamline-creations.co.uk/beta/client_area/signup.php thanks. Link to comment Share on other sites More sharing options...
source Posted June 24, 2007 Share Posted June 24, 2007 http://streamline-creations.co.uk/beta/ p.s.: Most of the links don't work so how can we test them? Tho, your login SEEMS secure from SQL injection Link to comment Share on other sites More sharing options...
agentsteal Posted June 24, 2007 Share Posted June 24, 2007 Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Full Path Disclosure: http://www.streamline-creations.co.uk/beta/ Warning: include(include/db.inc.php) [function.include]: failed to open stream: No such file or directory in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 7 Warning: include(include/db.inc.php) [function.include]: failed to open stream: No such file or directory in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 7 Warning: include() [function.include]: Failed opening 'include/db.inc.php' for inclusion (include_path='.:/usr/share/pear-php5') in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 7 Notice: Undefined variable: host in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 10 Notice: Undefined variable: user in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 10 Notice: Undefined variable: pass in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 10 Notice: Undefined variable: database in /home/fhlinux168/s/streamline-creations.co.uk/user/htdocs/beta/index.php on line 10 User Enumeration: http://www.streamline-creations.co.uk/~root Link to comment Share on other sites More sharing options...
source Posted June 24, 2007 Share Posted June 24, 2007 agentsteal!!!!! It's source from HTS if you remember me. Link to comment Share on other sites More sharing options...
.Stealth Posted June 24, 2007 Author Share Posted June 24, 2007 Hello, sorry ive replied a long time after you guys, it seems theres quite some time between us (u.k) going by the forums main clock. what sort of problems are you having, i just tried to register and it works. the main page, beta/index.php isnt really set up yet as my main concerns where within the client_area/ ive been working on it from wamp installed on my computer but all links are set via a constant so once ive changed that contstant all links should work. if you mean the links as in, services etc, they're not meant to work, there are no user inputs in any area but the client_area so i saw no need to upload them. what problems in the login are you having? here are the keys again: c354ecb0ba520ed4d1f0f84c9145ba73 ca400e1efc0fd4b891af25a7f4d9e66b e46079f79bf0904d6202f822127b5b12 2be0dc0675bbc6d1eed2d5310abf6f58 23a04a2a9a835a857796550c2bb0259a with 2 new ones (i used one to test the login script) Link to comment Share on other sites More sharing options...
.Stealth Posted June 25, 2007 Author Share Posted June 25, 2007 anybody? just want to make sure its all ok before it goes live. the only directory you need to look at is the: client_area/ part, thats where all the forms are and places for people to tamper. thanks for any help. Link to comment Share on other sites More sharing options...
source Posted June 25, 2007 Share Posted June 25, 2007 like we said, half of the links are broke how can we mess with it? Link to comment Share on other sites More sharing options...
.Stealth Posted June 25, 2007 Author Share Posted June 25, 2007 there not. the only part im concerned about is the client_area section because that has all of the forms and url vars that can be tampered with, not any other part. the links will only work when you get into the client_center because they change. thanks. Link to comment Share on other sites More sharing options...
Recommended Posts