sinisake Posted July 8, 2007 Share Posted July 8, 2007 Hello, i would like to hear your opinions: http://www.sinisa.milicevici.com/real_estate/ You can register and login, and see how it works. If you find security holes, please let me know. Please, be gentle Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 http://www.sinisa.milicevici.com/real_estate/admin/admin.php I know you try to be 1337 and re-direct us, but I am 1337'er and use the stop button (or I could have used a program etc..) So what I am saying is the admin area isn't secure. (Oh, and to prove a point I deleted a user.. sorry) To fix this just set a $_SESSION['admin']; or something with they login, and when someone visits the page do a check... for that session == a username, or alterative make it a field in the table "admin" and add yes next to your username.. etc.. also: xss http://www.sinisa.milicevici.com/real_estate/details.php?id=16 p.s. on the front page you have: http://www.sinisa.milicevici.com/real_estate/faq.php a link to that but it does not exist. Link to comment Share on other sites More sharing options...
agentsteal Posted July 8, 2007 Share Posted July 8, 2007 Admin Access: Anyone can access the admin panel by preventing the page from redirecting. Cross Site Scripting: http://sinisa.milicevici.com/cgi-sys/scgiwrap/<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://sinisa.milicevici.com/phpinfo.php?<script>alert('vulnerable')</script> Cross Site Scripting: http://sinisa.milicevici.com/real_estate/details.php?id=<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. DOS: http://www.sinisa.milicevici.com/real_estate/admin/admin.php/ Drop Down Menu: If you edit the drop down menu on the Listing page you can submit arbitrary values. Full Path Disclosure: http://sinisa.milicevici.com/cgi-sys/scgiwrap/ Full Path Disclosure: http://sinisa.milicevici.com/phpinfo.php Full Path Disclosure: http://sinisa.milicevici.com/real_estate/details.php?id[] Full Path Disclosure: http://sinisa.milicevici.com/real_estate/members/feature_it.php?id[] Full Path Disclosure: http://sinisa.milicevici.com/real_estate/members/pictures_edit.php?id[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/zoranm/public_html/sinisa/real_estate/members/pictures_edit.php on line 75 Full Path Disclosure: There is Full Path Disclosure if you set the PHPSESSID cookie to an invalid value. Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/zoranm/public_html/sinisa/real_estate/admin/index.php on line 2 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/zoranm/public_html/sinisa/real_estate/admin/index.php:2) in /home/zoranm/public_html/sinisa/real_estate/admin/index.php on line 2 Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Full Path Disclosure: There is Full Path Disclosure if you upload an invalid image. Warning: imagecreatefromjpeg(): gd-jpeg: JPEG library reports unrecoverable error: in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 137 Warning: imagecreatefromjpeg(): 'uploads/big/invalid.jpg' is not a valid JPEG file in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 137 Warning: imagesx(): supplied argument is not a valid Image resource in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 145 Warning: imagesy(): supplied argument is not a valid Image resource in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 146 Warning: Division by zero in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 150 Warning: imagecreatetruecolor(): Invalid image dimensions in /home/zoranm/public_html/sinisa/real_estate/members/pictures.php on line 151 Full Path Disclosure: There is Full Path Disclosure on the admin page. User Enumeration: http://sinisa.milicevici.com/~root User Enumeration: http://sinisa.milicevici.com/~zoranm Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 lol @ agentsteal. i was being sarcastic. XD (Oh, and thanks I've never thought of that, nor knew it was possible) Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 Ok, guys, you are good and FAST. Please let me know how to solve this big problem? Also, one(?) field in form for adding properties wasn't secure... i will see... Thank you very much, but now i am desperate :'( So, what to do, just to put die(); instead of redirection? Thank you very much! Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 read my 1St post I edited it to include some possible methods. yeah you can just make it if ($something ... $blah blah) { die; } Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 LoL, you will kill me the only solution is to remove site temporarily. Thank you. Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 Lol, just tell me how to solve cookie rewriting problem?(just to remove error reporting ,or???) And i can't even see cgy-sys wrap in ftp client???(i don't understand?) Thank you very much, usefull experience, But i'll be back :-) Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 Yes... strip tags ? or something better? Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 you can register with the same email (THis would cause login problems...) you login with the email. Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 yes i don't like mail registration too(i will add mail check-so doubled mails will be removed, thats small problem after all you said to me, ) Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 Ok... solution would be...hm... i don't know -i can't think anymore... :'( Btw, it ibviously that i will need much more than: $var=strip_tags($var); $var=mysql_real_escape_string($var); :-) Link to comment Share on other sites More sharing options...
source Posted July 8, 2007 Share Posted July 8, 2007 destroy the session is the solution http://www.php.net/manual/en/function.session-destroy.php Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 thanks i remove cookie,but i forgot to do it... Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 yes...i don;t have enough time now... i will ask for re-test probably tomorrow. Thanks for all, guys! Link to comment Share on other sites More sharing options...
sinisake Posted July 8, 2007 Author Share Posted July 8, 2007 Uuuh...ok one thing isn't clear to me: 1)how xss was successful? I had feel that all fields are protected. ??? Also, those things about cookies rewriting... I think that i removed most of security holes( i thought it first time too, llool) Link to comment Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Share Posted July 9, 2007 agentsteal just to tell you there is a thing in the rules about double posting and you like 8x posted .... wow Link to comment Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Share Posted July 9, 2007 edit your post or gather all you info then post Link to comment Share on other sites More sharing options...
sinisake Posted July 9, 2007 Author Share Posted July 9, 2007 Ok @agentsteal, i will remove error reporting for image functions, but how to fix this []... Thank you again very much! Link to comment Share on other sites More sharing options...
sinisake Posted July 9, 2007 Author Share Posted July 9, 2007 Thanks! See ya soon. Link to comment Share on other sites More sharing options...
sinisake Posted July 9, 2007 Author Share Posted July 9, 2007 This is not mine-definitely Link to comment Share on other sites More sharing options...
sinisake Posted July 9, 2007 Author Share Posted July 9, 2007 Ok, let's try again... I hope that now just Session Fixation problem is left(i am not familiar with this problem, i must read some things about it...) Of course,I know, you will find something more... Link to comment Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 we can not test it 401 error (We need the password and username you have it protected.) Link to comment Share on other sites More sharing options...
sinisake Posted July 9, 2007 Author Share Posted July 9, 2007 Hi again source, http://www.sinisa.milicevici.com/real_estate/ I made some mistakes.Here is site again. Link to comment Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 I didnt find anything (tho I didnt look very hard this time, I will again later, busy with my own site)... One of the MOST annoying things was the "real" email thing, you lose all data if you dont enter a real email... and have to re-type to test it. Link to comment Share on other sites More sharing options...
Recommended Posts