Security Check!

[Ryokotsusai]

Hi,

 

I was wondering if anyone out there has some free time and could attack my site for me, it is not anywhere near 100% yet ( maybe closer to 10% ) and only 2 scripts have any access to the database, the login in the top corner (when your not logged in) and the registration page.

 

I would like to know about any possible exploits that you can come up with, and feel free to do anything short of deleting the database (if possible)

 

there are only 3 empty tables anyway 

 

link: http://www.gravityws.com

 

thanks

[thedarkwinter]

for a start... your login script is seriously flawed:

 

if you type a random username and password, the login fails, but if you type a random username and not password, it logs you in!

 

 

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting if the Expect header contains code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain ">code.

 

Full Path Disclosure:

There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value.

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/www/gravityws.com/admin/config.php on line 15

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/www/gravityws.com/admin/config.php:15) in /home/www/gravityws.com/admin/config.php on line 15

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/www/gravityws.com/admin/config.php:15) in /home/www/gravityws.com/admin/config.php on line 15

 

Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0

 

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

 

Null User:

You can register a null password.

 

Null User:

You can register a null username.

[Ryokotsusai]

I fixed the index pages in the directories

the login script is what i get for trying to make something while dead tired, but that no longer allows blank logins

 

the full path thing i think i took care of, but now it wont connect to the database... let me try and figure this one out...

[Ryokotsusai]

fixed, please continue testing

[Crew-Portal]

I tried:

Username: INSERT INTO database USERS `'`

Password: OR "=

 

This step normally confuses the hell outta the database and logs you in. But in your script it didnt log me in! Great job! Security Check is Well Done!

[Ryokotsusai]

This one isn't fixed:

If you try to register with ">code in the fields the code runs on the page.

 

ok i think i took care of that, or at least i can't get it to do that anymore

[deadimp]

I tried registering, but it said that there was a database problem.

 

For the directory indexes, you can still tell if it's a real directory by checking on the page status. Have you tried sending a 404 status in the header?

[Ryokotsusai]

I tried registering, but it said that there was a database problem.

 

Sorry, it is back now 

 

For the directory indexes, you can still tell if it's a real directory by checking on the page status. Have you tried sending a 404 status in the header?

 

no, i hadn't thought of that 

[deadimp]

I logged in, or at least it said it thought I logged in, and the only thing that really changed was the header (the login section disappeared). After that, I couldn't figure what else had changed (though I know that's not the point of all this at the moment).

 

I couldn't figure out how to log out, so I used another browser to screw around some. The login gives different messages for different passwords that I try, so I'm not sure what could be causing that. I'm not that much of a hacker in the sense of network security, so I'm not sure what else to try.

[Ryokotsusai]

logged in with an account or by other means?

[deadimp]

Just with an account.