speaker219 Posted July 10, 2007 Share Posted July 10, 2007 I updated my scripts alot to try to add to security and was hoping you guys could see if you can exploit it/find any other problems with it now: http://speaker219.ath.cx:8080/ There are a couple of things to try there. Thanks, and please let me know if you find any problems. Link to comment Share on other sites More sharing options...
agentsteal Posted July 10, 2007 Share Posted July 10, 2007 Array: http://speaker219.ath.cx:8080/message/send.php?hand[] Cross Site Scripting: http://speaker219.ath.cx:8080/message/send.php?hand=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://speaker219.ath.cx:8080/message/test.php?ip=1.1.1.1&hand="><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if you submit a message that contains code. Cross Site Scripting: There is Cross Site Scripting if you submit a note that contains </textarea>code. Cross Site Scripting: There is Cross Site Scripting if your password contains code. Cross Site Scripting: There is Cross Site Scripting if your username contains code. Directory Transversal: You can make txt files in any directory by registering with the username set to ../filename. Full Path Disclosure: http://speaker219.ath.cx:8080/login/database.php Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) in /opt/lampp/htdocs/login/database.php on line 2 Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) Full Path Disclosure: http://speaker219.ath.cx:8080/login/register.php Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) in /opt/lampp/htdocs/login/database.php on line 2 Can't connect to local MySQL server through socket '/opt/lampp/var/mysql/mysql.sock' (2) Full Path Disclosure: There is Full Path Disclosure on the admin page. Warning: fopen(/opt/lampp/htdocs/message/passys/a.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/admin.php on line 15 Warning: filesize() [function.filesize]: stat failed for /opt/lampp/htdocs/message/passys/a.txt in /opt/lampp/htdocs/message/admin.php on line 16 Warning: fread(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/admin.php on line 16 Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/admin.php on line 17 Full Path Disclosure: There is Full Path Disclosure when you register. Fatal error: Call to undefined function regex() in /opt/lampp/htdocs/message/index.php on line 14 Log: http://speaker219.ath.cx:8080/message/admin.txt Multiple users can register the same username. PHP Source Code Disclosure: http://speaker219.ath.cx:8080/message/index.php~ You can make txt files in http://speaker219.ath.cx:8080/message/passys/ by registering with the username set to the filename. You shouldn't put the password in the URL. You shouldn't put the username in the URL. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 That should be fixed, keep testing sorry for the server outage. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 You should block this directory: http://speaker219.ath.cx:8080/login/ Done, let me know if you find anything else. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 If you put </textarea>code in a note and submit the note the code runs on the page. Fixed that. http://speaker219.ath.cx:8080/pastebin/paste.php?post=487053 Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 When you log in the pages have your password as a parameter. I know, that's currently the way it is. i'm fixing that now, but on the sign up page it says: "NOTE Do NOT USE AN IMPORTANT PASSWORD WHEN SIGNING UP. CURRENTLY, passwords are sent UNENCRYPTED and although it is highly unlikely, may be seen by third parties. Soon, your passwords WILL be encrypted while logging in/signing up, but this is currently an early beta so it is not yet supported" I'm fixing that now. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 You can register a username that has already been registered. Fixed Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 The messages are vulnerable to Cross Site Scripting. If you send a message with code in it, the code runs on the messages page. Fixed edit: only for new messages You need to re-sign up as i had to do something to the signup page. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 If you register with characters like & in your username/password the pages don't work because & ends the parameters. How would i fix that ??? ??? i'm a total n00b to php Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 The ip address of the messages is wrong. Are you sure? Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 If you register with characters like & in your username/password the pages don't work because & ends the parameters. Fixed Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 The ip address of the messages is wrong. The IPs are currently all showing up as 192.168.0.1 because of a port forwarding setup that I currently have. I don't know if there's any way to bypass that. I know that's all it is because it works when hosted on an external server. Link to comment Share on other sites More sharing options...
per1os Posted July 10, 2007 Share Posted July 10, 2007 Warning: fopen(passys/<script>alert(\'you are vunerable\');</scri[t>.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/index.php on line 26 Warning: fwrite(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 27 Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 28 Not a good idea, although you do have the .txt function it still can leave you open to a clever person. I would suggest you filter out username before you call fopen on it. http://speaker219.ath.cx:8080/message/passys/index.php.txt And now I have the password for that username. That was about all I could test right then. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 Warning: fopen(passys/<script>alert(\'you are vunerable\');</scri[t>.txt) [function.fopen]: failed to open stream: No such file or directory in /opt/lampp/htdocs/message/index.php on line 26 Warning: fwrite(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 27 Warning: fclose(): supplied argument is not a valid stream resource in /opt/lampp/htdocs/message/index.php on line 28 Not a good idea, although you do have the .txt function it still can leave you open to a clever person. I would suggest you filter out username before you call fopen on it. http://speaker219.ath.cx:8080/message/passys/index.php.txt And now I have the password for that username. That was about all I could test right then. I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better. http://speaker219.ath.cx:8080/message/passys/ http://speaker219.ath.cx:8080/message/passys/test.txt http://speaker219.ath.cx:8080/message/passys/index.php.txt They cannot be accessed anymore. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 OK, can you guys tell me how you managed to make text files on the root of my server? one was called pwnt.txt and another is called index.html.txt... i don't want to be vulnerable. Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better. http://speaker219.ath.cx:8080/message/passys/ http://speaker219.ath.cx:8080/message/passys/test.txt http://speaker219.ath.cx:8080/message/passys/index.php.txt They cannot be accessed anymore. Yes but here's a serious problem: if you make the username ../../whatever you can make text files in the main directory. I think i fixed that, can you try it again? Link to comment Share on other sites More sharing options...
speaker219 Posted July 10, 2007 Author Share Posted July 10, 2007 I fixed it now so the passwords cannot be accessed, i'm also moving over to mysql so it should be much better. http://speaker219.ath.cx:8080/message/passys/ http://speaker219.ath.cx:8080/message/passys/test.txt http://speaker219.ath.cx:8080/message/passys/index.php.txt They cannot be accessed anymore. Yes but here's a serious problem: if you make the username ../../whatever you can make text files in the main directory. I think i fixed that, can you try it again? It should be totally fixed because I added validation on the signup by using the function ctype_alnum, which tells me if the string has anything other than letters or numbers (http://us3.php.net/manual/en/function.ctype-alnum.php ) So i used this code: if (ctype_alnum($a) != 1) { die('Name validation failed. Usernames can only contain letters and/or numbers. Please try again.'); } Link to comment Share on other sites More sharing options...
source Posted July 10, 2007 Share Posted July 10, 2007 ok 1) the biggest security vuln you have without me looking at anything is putting our password in the url.... Please, use SESSIONS, NOT cookies, but SESSIONS AND NEVER, NEVER put VALUABLE INFO in the URL Link to comment Share on other sites More sharing options...
speaker219 Posted July 11, 2007 Author Share Posted July 11, 2007 OK, your password nor any sensitive information is shown in the address bar. Also, you stay logged in for 24 hours unless you log out. Any more comments/suggestions/bugs? Link to comment Share on other sites More sharing options...
rcorlew Posted July 11, 2007 Share Posted July 11, 2007 By the way here is how I am trying to catch and filter input, does this look alright? $c_name = cleanVars(mysql_real_escape_string($_POST["c_name"])); cleanVars is a function that does string replace on the input sort of like html special chars or entities, minus the fact that there are quite a few entities that I want to leave. Link to comment Share on other sites More sharing options...
rcorlew Posted July 11, 2007 Share Posted July 11, 2007 Ok disregard that post I just made, it put it under the wrong thread, and I thought I made messed up applications, LOL Link to comment Share on other sites More sharing options...
speaker219 Posted July 11, 2007 Author Share Posted July 11, 2007 Any other problems or anything? Link to comment Share on other sites More sharing options...
speaker219 Posted July 11, 2007 Author Share Posted July 11, 2007 It's at http://speaker219.selfip.com:8080/ now, something happened to the old one Link to comment Share on other sites More sharing options...
per1os Posted July 11, 2007 Share Posted July 11, 2007 Both addresses failed. Link to comment Share on other sites More sharing options...
Recommended Posts