website security

[jagguy]

Hi,

 

Could someone please check my website for security. I didn't know whether to post here or website critique area. I just need security checked before i worry about a thorough critique.

 

log 123456

pwd 123456

 

http://jagguy.ej.am/school/test/home.php

[teng84]

it keeps onloading no output

[jagguy]

?????????

 

I just click or copy and paste and it comes up fine. Maybe your connection is dodgy, is it wireless?

[Azu]

Looks fine for me but I can't find the login page.

 

And it says I am using windows server 2003 but I am not, I am using windows xp 64bit.

 

 

Oh I found the login button.. for some reason it says "logout" even though I am not logged in.

 

And when I try to log in it prints some text over the submit button. Hard to read what it says.

[jagguy]

Hi,

Thanks for the tests.

 

The OS is just bolier plate code which i will paste. It says logout because i haven't got the global vars set yet.

 

Now when loggin in I fixed trhe error msg.

   function get_os_($user_agent)
{
$oses = array (
	'Windows 3.11' => 'Win16',
	'Windows 95' => '(Windows 95)|(Win95)|(Windows_95)',
	'Windows 98' => '(Windows 98)|(Win98)',
	'Windows 2000' => '(Windows NT 5.0)|(Windows 2000)',
	'Windows XP' => '(Windows NT 5.1)|(Windows XP)',
	'Windows 2003' => '(Windows NT 5.2)',
	'Windows NT 4.0' => '(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)',
	'Windows ME' => 'Windows ME',
	'Open BSD'=>'OpenBSD',
	'Sun OS'=>'SunOS',
	'Linux'=>'(Linux)|(X11)',
	'Macintosh'=>'(Mac_PowerPC)|(Macintosh)',
	'QNX'=>'QNX',
	'BeOS'=>'BeOS',
	'OS/2'=>'OS/2',
	'Search Bot'=>'(nuhk)|(Googlebot)|(Yammybot)|(Openbot)|(Slurp/cat)|(msnbot)|(ia_archiver)'
);

foreach($oses as $os=>$pattern)
{
	if (eregi($pattern, $user_agent))
		return $os;
}
return 'Unknown';
}

//   echo "<br><br>Your operating system is : ";
//   echo get_os_($_SERVER['HTTP_USER_AGENT']);

   echo "<td width='150'  ><b>Your operating system is  </b>".get_os_($_SERVER['HTTP_USER_AGENT'])." </td>";
   

[BillyBoB]

You have a full address problem:

http://jagguy.ej.am/school/test/sviewInbox.php

Notice: Undefined variable: viewall in /home/jagguy/public_html/school/test/sviewInbox.php on line 57

This gives me a username and allows a hacker to bruteforce.

[source]

1) Messages are vulnerable to code... while you think you're smart because you check it, you check it with javascript. which is teh ultimate fail.

 

 

http://jagguy.ej.am/school/test/download2.php?file=../&path=files

 

download any file on the site eh?

[jagguy]

I fixed up those pesky error  with all variable.

 

Now this  problem. I haven't made the files to download secured yet as i was confused as how to do this with code. I don't understabd what you are saying below. Could you give me more and tell me wht i need to do to fix?

 

>while you think you're smart because you check it, you check it with javascript. >which is teh ultimate fail.

 

[agentsteal]

Admin Access:

The SQL Dump contains your password.

 

Admin Access:

You can upload any file onto the server.

 

Cross Site Scripting:

There is Cross Site Scripting when you upload a file if the filename contains code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin messages.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Full Path Disclosure:

http://jagguy.ej.am/school/test/upfile2.php

Warning: Cannot modify header information - headers already sent by (output started at /home/jagguy/public_html/school/test/upfile2.php:11) in /home/jagguy/public_html/school/test/upfile2.php on line 25

 

Full Path Disclosure:

There is Full Path Disclosure on multiple pages in http://jagguy.ej.am/school/test/.

 

Includes Directory:

http://jagguy.ej.am/school/test/

 

Includes Directory:

http://jagguy.ej.am/school/test/student_files/

 

PHP Source Code Disclosure:

http://jagguy.ej.am/school/test/

 

SQL Dump:

http://jagguy.ej.am/school/test/db/

 

You can upload any file if the filename contains .txt.

[jagguy]

How do i block this so only i can view it?

http://jagguy.ej.am/school/test/

 

change chmod 700 but then i can't view it.

i tried 711 and then you  cant view file listing.

 

What chmod do i need and do i need to change anything to do with chmod in the php code?

[jagguy]

Hi,

 

what the index pages are blocked and what error specifically. If someone turns of JS what happens then. The code doesn't come up with errors.

The other dir have been deleted as i was going to do after testing but did it now.

All this is minor work but i need to know what to fix rather than 'needs work'.

[source]

uhh turn off JS and send a message, the code shows.

 

I don't have time to mess with it that much becuase I know when I view the source I see the tag <small> and <marquee> in there.

[MemphiS]

You seriously need to fix your download2.php

 

I can specify files to download off your server...

[source]

roflmao @ agentsteal being marquee'd acrost stude_files!!!

 

[Azu]

Haxed!

[jagguy]

Warning: mysql_connect() [function.mysql-connect]: Too many connections in /home/jagguy/public_html/school/test/dbconnect.php on line 7

Could not connect: Too many connections

 

on my pc i have this so what can i change to allow many connections?

 

  $link = mysql_connect("localhost", "root", " ")or die("Could not connect: " . mysql_error());

   

[jagguy]

1)lets go back to the file permissions as i dont know what to do here.

 

To stop an index file being created i do what?

 

I have chmod 711 as it wont work unless i give worl execute permissions so I have no idea what i need to keep it safe.

 

2)I made a php check on data if JS is turned off so

>When you register if you put code in the fields the code runs on multiple pages.?

 

I dont get the error here.

 

3)

>You seriously need to fix your download2.php

I can specify files to download off your server

 

the idea is to be able to allow downloads of files so what is the error?

 

4)

When the admin sends a message the fields are vulnerable to XSS.

I have removed quotes and and used mysql escape thing so what else do i need to do?

 

[source]

strip_tags

 

 

jagguy:

 

what I meant is exactly what I said I can download any file off of your server.

 

Does this look firmiliar?

 

<?php

 

error_reporting(E_ALL);

    // some basic sanity checks

 

        //connect to the db

        $link = mysql_connect("localhost", "jagguy_***edited****", "")or die("Could not connect: " . mysql_error());

        // select our database

        mysql_select_db("jagguy_school") or die(mysql_error());

?>

 

 

??

 

wow, running mysql with no password.

 

 

as I said I can download any file off of your server

 

ANY FILE. admin.php login2.php login.php sviewOutbox.php

[jagguy]

well some one here or at dev shed has hacked into my site and deleted the passwords. Also i can't view any files in file manager although they exist on the site. I hope the site is at fault and no one has mucked up all the file views somehow.

 

So this hasn't been a good experience .

[jagguy]

i cant download any files as a download (as told here).

 

I have chmod 711 on the dir and how else can i stop people getting my source code.

[source]

secure your download file thing, make it so it checks what dir the file/s being downloaded from (as in, if they are downloading a file not from that dir die;)

[jagguy]

Ok it is back so please check security but dont intentionally wreck it.

Tell me of any problems and i will fix it.

Many things were added.

 

http://jagguy.ej.am/school/test/home.php

[BillyBoB]

you have full path disclosure Notice: Undefined index: uid in /home/jagguy/public_html/school/test/home.php on line 30 on home.php

 

[source]

directory /home/test/ is still viewable...

 

 

[jagguy]

i have people uploading php files and I haveaJS check and php  script check for file ext with php.

 

I cant replicate this so i dont know how to fix this problem.