Jump to content

Test my site for security holes/try to hack it :P

speaker219

By speaker219
in Beta Test Your Stuff!

 Share

Recommended Posts

speaker219 Member

speaker219

Posted
Posted

I updated my scripts alot to try to add to security and was hoping you guys could see if you can exploit it/find any other problems with it now:

http://speaker219.ath.cx:8080/

There are a couple of things to try there.

Thanks, and please let me know if you find any problems.

agentsteal Newbie

agentsteal

Posted
Posted

Array:

http://speaker219.ath.cx:8080/message/send.php?hand[]

 

Cross Site Scripting:

http://speaker219.ath.cx:8080/message/send.php?hand=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://speaker219.ath.cx:8080/message/test.php?ip=1.1.1.1&hand="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if you submit a message that contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if you submit a note that contains </textarea>code.

 

Cross Site Scripting:

There is Cross Site Scripting if your password contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if your username contains code.

 

Directory Transversal:

You can make txt files in any directory by registering with the username set to ../filename.

 

Full Path Disclosure:

http://speaker219.ath.cx:8080/login/database.php

Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) in /opt/lampp/htdocs/login/database.php on line 2

Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2)

 

Full Path Disclosure:

http://speaker219.ath.cx:8080/login/register.php

Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) in /opt/lampp/htdocs/login/database.php on line 2

Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2)

 

Full Path Disclosure:

There is Full Path Disclosure on the admin page.

Warning: fopen(/opt/lampp/htdocs/message/passys/a.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/admin.php on line 15

 

Warning: filesize() [function.filesize]: stat failed for /opt/lampp/htdocs/message/passys/a.txt in /opt/lampp/htdocs/message/admin.php on line 16

 

Warning: fread(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/admin.php on line 16

 

Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/admin.php on line 17

 

Full Path Disclosure:

There is Full Path Disclosure when you register.

Fatal error: Call to undefined function regex() in /opt/lampp/htdocs/message/index.php on line 14

 

Log:

http://speaker219.ath.cx:8080/message/admin.txt

 

Multiple users can register the same username.

 

PHP Source Code Disclosure:

http://speaker219.ath.cx:8080/message/index.php~

 

You can make txt files in http://speaker219.ath.cx:8080/message/passys/ by registering with the username set to the filename.

 

You shouldn't put the password in the URL.

 

You shouldn't put the username in the URL.

speaker219 Member

speaker219

Posted
  • Author
Posted

When you log in the pages have your password as a parameter.

I know, that's currently the way it is. i'm fixing that now, but on the sign up page it says:

"NOTE Do NOT USE AN IMPORTANT PASSWORD WHEN SIGNING UP. CURRENTLY, passwords are sent UNENCRYPTED and although it is highly unlikely, may be seen by third parties. Soon, your passwords WILL be encrypted while logging in/signing up, but this is currently an early beta so it is not yet supported"

I'm fixing that now.

speaker219 Member

speaker219

Posted
  • Author
Posted

The ip address of the messages is wrong.

The IPs are currently all showing up as 192.168.0.1 because of a port forwarding setup that I currently have. I don't know if there's any way to bypass that. I know that's all it is because it works when hosted on an external server.

per1os Member

per1os

Posted
Posted

 

Warning: fopen(passys/<script>alert(\'you are vunerable\');</scri[t>.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/index.php on line 26

 

Warning: fwrite(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 27

 

Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 28

 

 

Not a good idea, although you do have the .txt function it still can leave you open to a clever person. I would suggest you filter out username before you call fopen on it.

 

http://speaker219.ath.cx:8080/message/passys/index.php.txt

 

And now I have the password for that username.

 

That was about all I could test right then.

speaker219 Member

speaker219

Posted
  • Author
Posted

 

Warning: fopen(passys/<script>alert(\'you are vunerable\');</scri[t>.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/index.php on line 26

 

Warning: fwrite(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 27

 

Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 28

 

 

Not a good idea, although you do have the .txt function it still can leave you open to a clever person. I would suggest you filter out username before you call fopen on it.

 

http://speaker219.ath.cx:8080/message/passys/index.php.txt

 

And now I have the password for that username.

 

That was about all I could test right then.

I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better.

http://speaker219.ath.cx:8080/message/passys/

http://speaker219.ath.cx:8080/message/passys/test.txt

http://speaker219.ath.cx:8080/message/passys/index.php.txt

They cannot be accessed anymore.

speaker219 Member

speaker219

Posted
  • Author
Posted

I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better.

http://speaker219.ath.cx:8080/message/passys/

http://speaker219.ath.cx:8080/message/passys/test.txt

http://speaker219.ath.cx:8080/message/passys/index.php.txt

They cannot be accessed anymore.

 

Yes but here's a serious problem: if you make the username ../../whatever you can make text files in the main directory.

I think i fixed that, can you try it again?

speaker219 Member

speaker219

Posted
  • Author
Posted

I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better.

http://speaker219.ath.cx:8080/message/passys/

http://speaker219.ath.cx:8080/message/passys/test.txt

http://speaker219.ath.cx:8080/message/passys/index.php.txt

They cannot be accessed anymore.

 

Yes but here's a serious problem: if you make the username ../../whatever you can make text files in the main directory.

I think i fixed that, can you try it again?

It should be totally fixed because I added validation on the signup by using the function ctype_alnum, which tells me if the string has anything other than letters or numbers (http://us3.php.net/manual/en/function.ctype-alnum.php )

So i used this code:

if (ctype_alnum($a) != 1) {
die('Name validation failed. Usernames can only contain letters and/or numbers. Please try again.');
}

rcorlew Member

rcorlew

Posted
Posted

By the way here is how I am trying to catch and filter input, does this look alright?

 

$c_name = cleanVars(mysql_real_escape_string($_POST["c_name"]));

 

cleanVars is a function that does string replace on the input sort of like html special chars or entities, minus the fact that there are quite a few entities that I want to leave.

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.