NEONecd999 Posted August 6, 2007 Share Posted August 6, 2007 http://www.fantour.org A social networking site based around live shows. If you guys could check it out and point out any bugs you find, that would be great. Cross-browser consistency in CSS is also something that needs to be checked out. Thanks in advance. Link to comment Share on other sites More sharing options...
agentsteal Posted August 7, 2007 Share Posted August 7, 2007 Array: http://www.fantour.org/account.php?msg[] Array: http://www.fantour.org/searchresults.php?search[] Cross Site Scripting: http://www.fantour.org/account.php?msg=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.fantour.org/addfavconfirm.php?id=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.fantour.org/artistshows.php?id="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.fantour.org/fans.php?id="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.fantour.org/searchresults.php?search="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.fantour.org/showphotos.php?un=<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if you post a comment that contains code. Cross Site Scripting: There is Cross Site Scripting if you register with ">code in the fields. Full Path Disclosure: http://www.fantour.org/addfavconfirm.php Full Path Disclosure: http://www.fantour.org/createshow.php?page=action Full Path Disclosure: http://www.fantour.org/delcommentconfirm.php Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/fantouro/public_html/components/comments_del_action.php on line 36 Warning: mysql_result() [function.mysql-result]: creator not found in MySQL result index 17 in /home/fantouro/public_html/components/comments_del_action.php on line 36 Full Path Disclosure: http://www.fantour.org/login.php Fatal error: Call to undefined function dbconnect() in /home/fantouro/public_html/components/navin.php on line 3 Full Path Disclosure: http://www.fantour.org/show.php Full Path Disclosure: http://www.fantour.org/showattenders.php Full Path Disclosure: There is Full Path Disclosure if you upload an invalid image. Full Path Disclosure: There is Full Path Disclosure on multiple pages in http://www.fantour.org/components/. Includes Directory: http://www.fantour.org/components/ SQL Dump: http://www.fantour.org/addfavconfirm.php SQL Dump: http://www.fantour.org/show.php User Enumeration: http://www.fantour.org/~fantouro User Enumeration: http://www.fantour.org/~root Link to comment Share on other sites More sharing options...
NEONecd999 Posted August 7, 2007 Author Share Posted August 7, 2007 wow, okay, thanks. How do I "block" a directory? Do you mean adjust the CHMOD settings? But if it is something like the uploads folder, doesn't it need to have full permissions so that people can write to it? Link to comment Share on other sites More sharing options...
Recommended Posts