MrBillybob Posted August 18, 2007 Share Posted August 18, 2007 I would like to know if anyone can get any variables or injections on this site...its mine of course. http://octub.com/eve/ Link to comment Share on other sites More sharing options...
NArc0t1c Posted August 18, 2007 Share Posted August 18, 2007 Well, none of you're scripts work, so no. Link to comment Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 they all work i just had output off.... register corp password is 'abc123' Link to comment Share on other sites More sharing options...
d.shankar Posted August 18, 2007 Share Posted August 18, 2007 Yes your site contains vulnerabilities. Link to comment Share on other sites More sharing options...
mattd8752 Posted August 18, 2007 Share Posted August 18, 2007 Registered as <b>test it prints everything after my name bold. Link to comment Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 ....d.shankar what are they? Link to comment Share on other sites More sharing options...
mattd8752 Posted August 18, 2007 Share Posted August 18, 2007 Mr Billy, you have to filter HTML input. replace < and > with their ansi codes. Link to comment Share on other sites More sharing options...
MrBillybob Posted August 18, 2007 Author Share Posted August 18, 2007 ok thanks Link to comment Share on other sites More sharing options...
d.shankar Posted August 19, 2007 Share Posted August 19, 2007 yea mrbillybob .. matt is right. the username produces XSS attack use the strip_tags() to the username field in the registration process. Link to comment Share on other sites More sharing options...
agentsteal Posted August 19, 2007 Share Posted August 19, 2007 Cross Site Scripting: There is Cross Site Scripting if your username contains code. Full Path Disclosure: http://octub.com/eve/?l=order&sl=cart&ship=582 Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 6 in /home/content/t/u/b/tubguys/html/eve/index.php on line 1081 Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 7 in /home/content/t/u/b/tubguys/html/eve/index.php on line 1092 Link to comment Share on other sites More sharing options...
NArc0t1c Posted August 19, 2007 Share Posted August 19, 2007 You could also try the following, <?php htmlentities($String, ENT_QUOTES); ?> Link to comment Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 thx they should all be fixed now Link to comment Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 recheck it i forgot to upload Link to comment Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 You still didnt filter the username. Its still vulnerable to XSS ! Link to comment Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 ...i only did it on the mysql insert not the output Link to comment Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 i told you to do in the registration page. Link to comment Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 i meant i only did it in the query not the on the var i output Link to comment Share on other sites More sharing options...
d.shankar Posted August 20, 2007 Share Posted August 20, 2007 YOU HAVE TO FILTER OUTPUT ! Link to comment Share on other sites More sharing options...
ILYAS415 Posted August 20, 2007 Share Posted August 20, 2007 yep uve fixed the register area Link to comment Share on other sites More sharing options...
ILYAS415 Posted August 20, 2007 Share Posted August 20, 2007 o yh he hasnt lol. he needs to make it so it doesnt allow code Link to comment Share on other sites More sharing options...
MrBillybob Posted August 20, 2007 Author Share Posted August 20, 2007 i user strip_tags <?php $status = "Registration Complete ".strip_tags($_POST['u'])."! Please wait for a director to accept your account."; ?> Link to comment Share on other sites More sharing options...
d.shankar Posted August 21, 2007 Share Posted August 21, 2007 Fine.. ! Also use the strip_tags() in the home page too. Link to comment Share on other sites More sharing options...
Recommended Posts