MrBillybob Posted August 18, 2007 Share Posted August 18, 2007 I would like to know if anyone can get any variables or injections on this site...its mine of course. http://octub.com/eve/ Link to comment https://forums.phpfreaks.com/topic/65566-security-check/ Share on other sites More sharing options...
NArc0t1c Posted August 18, 2007 Share Posted August 18, 2007 Well, none of you're scripts work, so no. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327363 Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 they all work i just had output off.... register corp password is 'abc123' Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327392 Share on other sites More sharing options...
d.shankar Posted August 18, 2007 Share Posted August 18, 2007 Yes your site contains vulnerabilities. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327515 Share on other sites More sharing options...
mattd8752 Posted August 18, 2007 Share Posted August 18, 2007 Registered as <b>test it prints everything after my name bold. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327587 Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 ....d.shankar what are they? Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327665 Share on other sites More sharing options...
mattd8752 Posted August 18, 2007 Share Posted August 18, 2007 Mr Billy, you have to filter HTML input. replace < and > with their ansi codes. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327680 Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 ok thanks Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327693 Share on other sites More sharing options...
d.shankar Posted August 19, 2007 Share Posted August 19, 2007 yea mrbillybob .. matt is right. the username produces XSS attack use the strip_tags() to the username field in the registration process. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-327884 Share on other sites More sharing options...
agentsteal Posted August 19, 2007 Share Posted August 19, 2007 Cross Site Scripting: There is Cross Site Scripting if your username contains code. Full Path Disclosure: http://octub.com/eve/?l=order&sl=cart&ship=582 Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 6 in /home/content/t/u/b/tubguys/html/eve/index.php on line 1081 Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 7 in /home/content/t/u/b/tubguys/html/eve/index.php on line 1092 Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328256 Share on other sites More sharing options...
NArc0t1c Posted August 19, 2007 Share Posted August 19, 2007 You could also try the following, <?php htmlentities($String, ENT_QUOTES); ?> Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328264 Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 thx they should all be fixed now Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328620 Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 recheck it i forgot to upload Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328634 Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 You still didnt filter the username. Its still vulnerable to XSS ! Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328697 Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 ...i only did it on the mysql insert not the output Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328700 Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 i told you to do in the registration page. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328702 Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 i meant i only did it in the query not the on the var i output Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328706 Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 YOU HAVE TO FILTER OUTPUT ! Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328708 Share on other sites More sharing options...
ILYAS415 Posted August 20, 2007 Share Posted August 20, 2007 yep uve fixed the register area Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328778 Share on other sites More sharing options...
ILYAS415 Posted August 20, 2007 Share Posted August 20, 2007 o yh he hasnt lol. he needs to make it so it doesnt allow code Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-328780 Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 i user strip_tags <?php $status = "Registration Complete ".strip_tags($_POST['u'])."! Please wait for a director to accept your account."; ?> Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-329174 Share on other sites More sharing options...
d.shankar Posted August 21, 2007 Share Posted August 21, 2007 Fine.. ! Also use the strip_tags() in the home page too. Link to comment https://forums.phpfreaks.com/topic/65566-security-check/#findComment-329492 Share on other sites More sharing options...
Recommended Posts