speaker219 Posted August 5, 2007 Share Posted August 5, 2007 http://speaker219.ath.cx:8080/ Can you guys test out the stuff there? Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/ Share on other sites More sharing options...
php_tom Posted August 10, 2007 Share Posted August 10, 2007 Um, your link is dead... Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-319876 Share on other sites More sharing options...
speaker219 Posted August 10, 2007 Author Share Posted August 10, 2007 Hm, seems to be working for me. Might've had a little downtime due to a power outage. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-319880 Share on other sites More sharing options...
php_tom Posted August 10, 2007 Share Posted August 10, 2007 Firefox can't establish a connection to the server at speaker219.ath.cx:8080. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-319893 Share on other sites More sharing options...
speaker219 Posted August 10, 2007 Author Share Posted August 10, 2007 back up again; there's been tons of power outages lately stupid power company... excuses, excuses Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-320355 Share on other sites More sharing options...
php_tom Posted August 10, 2007 Share Posted August 10, 2007 seems ok. I security tested some of the apps (though not super thoroughly) and they're good. Only why do you have a full directory listing script up there?!?!?!?!? not that I could find anything sensitive, but still... Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-320389 Share on other sites More sharing options...
speaker219 Posted August 11, 2007 Author Share Posted August 11, 2007 seems ok. I security tested some of the apps (though not super thoroughly) and they're good. Only why do you have a full directory listing script up there?!?!?!?!? not that I could find anything sensitive, but still... Gah, i have nothing to hide and there's some stuff for people to just look around through, nothing dangerous Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-320883 Share on other sites More sharing options...
mattd8752 Posted August 18, 2007 Share Posted August 18, 2007 Down again. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-327594 Share on other sites More sharing options...
speaker219 Posted August 21, 2007 Author Share Posted August 21, 2007 It's now on a dedicated server, enjoy. total uptime now has been >2 days and should stay up Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-330287 Share on other sites More sharing options...
ILYAS415 Posted August 22, 2007 Share Posted August 22, 2007 http://speaker219.ath.cx:8080/RSS-Reader.php?q=noone Warning: DOMDocument::load() [function.DOMDocument-load]: Empty string supplied as input in D:\xampplite\htdocs\RSS-Reader.php on line 19 Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\xampplite\htdocs\RSS-Reader.php on line 23 Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-331215 Share on other sites More sharing options...
source Posted August 23, 2007 Share Posted August 23, 2007 http://speaker219.ath.cx:8080/URL-Encoder/test.php xss Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-331596 Share on other sites More sharing options...
agentsteal Posted August 23, 2007 Share Posted August 23, 2007 Admin Access: You can view and edit the site's source code through the Directory Transversal in the notes script. Array: http://speaker219.ath.cx:8080/blog/index.php?waka[] Array: http://speaker219.ath.cx:8080/blog/test.node?text[] Array: http://speaker219.ath.cx:8080/Chat/history.php?log[] Cross Site Scripting: http://speaker219.ath.cx:8080/blog/index.php?waka=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://speaker219.ath.cx:8080/blog/test.node?text=<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if you submit a note that contains </textarea>code. Cross Site Scripting: There is Cross Site Scripting on http://speaker219.ath.cx:8080/URL-Encoder/test.php if the URL field contains code. Directory Transversal: http://speaker219.ath.cx:8080/Chat/history.php?log=1/../../../vulnerable Directory Transversal: http://speaker219.ath.cx:8080/notes/paste-edit.php?post=../Chat/admincp.php Full Path Disclosure: http://speaker219.ath.cx:8080/Chat/preferences.php Fatal error: Class 'FileStorage' not found in D:\xampplite\htdocs\Chat\preferences.php on line 6 Full Path Disclosure: http://speaker219.ath.cx:8080/forum/ajax.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/announcement.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/calendar.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/cron.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/editpost.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/external.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/faq.php Full Path Disclosure: http://speaker219.ath.cx:8080/forum/forumdisplay.php Full Path Disclosure: http://speaker219.ath.cx:8080/Pics/lolcats/?id[] Fatal error: Unsupported operand types in D:\xampplite\htdocs\Pics\lolcats\index.php on line 11 Full Path Disclosure: http://speaker219.ath.cx:8080/scripts/test.php?txt[] Warning: preg_match_all() expects parameter 2 to be string, array given in D:\xampplite\htdocs\scripts\test.php on line 8 Number of upper case letters: Full Path Disclosure: http://speaker219.ath.cx:8080/RSS-Reader.php?q=a Warning: DOMDocument::load() [function.DOMDocument-load]: Empty string supplied as input in D:\xampplite\htdocs\RSS-Reader.php on line 19 Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\xampplite\htdocs\RSS-Reader.php on line 23 Full Path Disclosure: http://speaker219.ath.cx:8080/Chat/history.php?log=2' Warning: fopen(logs/log.2\'.txt) [function.fopen]: failed to open stream: No such file or directory in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 12 Warning: fseek(): supplied argument is not a valid stream resource in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 53 Warning: file_get_contents(logs/log.2\'.txt) [function.file-get-contents]: failed to open stream: No such file or directory in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 55 Warning: ftruncate(): supplied argument is not a valid stream resource in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 60 Warning: fwrite(): supplied argument is not a valid stream resource in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 61 Warning: flock() expects parameter 1 to be resource, boolean given in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 44 Warning: fclose(): supplied argument is not a valid stream resource in D:\xampplite\htdocs\Chat\php\filestorage.class.php on line 25 Full Path Disclosure: http://speaker219.ath.cx:8080/Chat/cp/bans.php Fatal error: Call to undefined function ys() in D:\xampplite\htdocs\Chat\cp\bans.php on line 2 Full Path Disclosure: http://speaker219.ath.cx:8080/notes/paste-edit.php Warning: fread(): supplied argument is not a valid stream resource in D:\xampplite\htdocs\notes\paste-edit.php on line 12 PHP Source Code Disclosure: http://speaker219.ath.cx:8080/notes/paste-edit.php?post=../Chat/admincp.php Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-331792 Share on other sites More sharing options...
speaker219 Posted August 23, 2007 Author Share Posted August 23, 2007 Alright, I fixed alot of those. I'm still pretty new to PHP so I thank you guys for showing me I need to make stuff more secure Anyways, I was wondering if it is possible to totally disable full path disclosure? Maybe a setting in php.ini? thanks. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-332317 Share on other sites More sharing options...
speaker219 Posted August 23, 2007 Author Share Posted August 23, 2007 Also fixed the blog entries so the links to /blog/1 or /blog/2 work Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-332378 Share on other sites More sharing options...
speaker219 Posted August 27, 2007 Author Share Posted August 27, 2007 ?any way to totally fix full path disclosure? like a setting in php.ini Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-335719 Share on other sites More sharing options...
source Posted August 28, 2007 Share Posted August 28, 2007 yeah start making your code better... Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-335926 Share on other sites More sharing options...
speaker219 Posted August 28, 2007 Author Share Posted August 28, 2007 yeah start making your code better... Instead of giving a snob response, maybe you could answer my question. I was wondering if there was a setting in php.ini that could fix that problem. I'm not saying my code is so great, but there's no reason for you to be a snob when I ask a simple question. And it's not like i'm the only one -- ever heard of vBulletin? Yeah, there's even bugs in things like that! That's probably a shocker for you. Thanks for all of your wonderful, kind help. Yeah, also, some of the things there with bugs were third party scripts. For example the forum, (vBulletin) the chat script (yShout) I did not create either of those. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-335956 Share on other sites More sharing options...
source Posted August 28, 2007 Share Posted August 28, 2007 if it's pre-made software then make sure it's up to date. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-335977 Share on other sites More sharing options...
448191 Posted August 28, 2007 Share Posted August 28, 2007 ?any way to totally fix full path disclosure? like a setting in php.ini Yes, turn off display_errors. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-336033 Share on other sites More sharing options...
iHack Posted August 28, 2007 Share Posted August 28, 2007 error_reporting(0); iHack. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-336749 Share on other sites More sharing options...
448191 Posted August 28, 2007 Share Posted August 28, 2007 error_reporting(0); iHack. Turning off error reporting will also disable error logging. Unless you're retarded, you want to keep logging and reporting (possibly emailing) errors, you just don't want to display them. So, at the risk of being childish and plain unfriendly: please refrain from posting unless you either have a clue or are inquiring. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-336765 Share on other sites More sharing options...
DeeCee Posted September 1, 2007 Share Posted September 1, 2007 yeah start making your code better... Instead of giving a snob response, maybe you could answer my question. I was wondering if there was a setting in php.ini that could fix that problem. I'm not saying my code is so great, but there's no reason for you to be a snob when I ask a simple question. And it's not like i'm the only one -- ever heard of vBulletin? Yeah, there's even bugs in things like that! That's probably a shocker for you. Thanks for all of your wonderful, kind help. Yeah, also, some of the things there with bugs were third party scripts. For example the forum, (vBulletin) the chat script (yShout) I did not create either of those. Nice comeback !! lol Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-339286 Share on other sites More sharing options...
source Posted September 1, 2007 Share Posted September 1, 2007 "Nice comeback !! lol" If only I *cared* or *liked* any of you. Or respected any one on these forums, with the exception of one person. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-339316 Share on other sites More sharing options...
DeeCee Posted September 1, 2007 Share Posted September 1, 2007 Why dont you 'become' a better person and start to lighten up a little. You can solve loads of problems but you gota solve that problem with your attitude first Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-339353 Share on other sites More sharing options...
448191 Posted September 1, 2007 Share Posted September 1, 2007 If you don't like the company, feel free to leave and never come back any time. I took the time to look at what you've posted here, and I can't say I'm impressed. Most of it is talking down on noobs, and most of it is not exactly friendly. Surely this is going to invoke another of your friendly responses, but go ahead, I expect no less. It's not like you have added ANYTHING of value to this forum. You're just another unfriendly blip on the radar. Link to comment https://forums.phpfreaks.com/topic/63441-some-stuff-to-test-for-exploitsetc/#findComment-339368 Share on other sites More sharing options...
Recommended Posts