object based feature rich login

[dbillings]

I've made an easy to configure and install login system with php. It has a configure file that initially needs edited then a setup.php page to run that creates a mysql table. Then you are off and running with a few includes. It has features like super admins, 4 levels of security, lists users currently online, ability to modify users access easily and it requires no programming knowledge to use.

 

dennisbillings.com/projects.php

[dbillings]

Really never looked in this forum before and didn't know it was a hack my site into oblivion kind of thing. So we'll see what happens I suppose.

[agentsteal]

Admin Access:

Regular users can set admin privileges and make themselves admin.

 

Cross Site Scripting:

There is Cross Site Scripting if the Expect header contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if you submit code in the drop down menu on http://www.dennisbillings.com/calphalon/daysoff.php.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.dennisbillings.com/addimages.php.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.dennisbillings.com/allquotes.php.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.dennisbillings.com/blog.php.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain ">code.

 

Drop Down Menu:

If you edit the drop down menu on http://www.dennisbillings.com/calphalon/daysoff.php you can submit arbitrary values.

 

Full Path Disclosure:

http://www.dennisbillings.com/adminquoteeditor.php?id

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/www/Devendea/quoteeditor.php on line 29

 

Full Path Disclosure:

http://www.dennisbillings.com/music.php?pmmsid[]

Warning: Illegal offset type in /home/www/Devendea/videos.php on line 113

 

Full Path Disclosure:

http://www.dennisbillings.com/projects.php?dl[]

Warning: basename() expects parameter 1 to be string, array given in /home/www/Devendea/count_clicks.php on line 29

 

Warning: Cannot modify header information - headers already sent by (output started at /home/www/Devendea/count_clicks.php:29) in /home/www/Devendea/count_clicks.php on line 29

 

Full Path Disclosure:

There is Full Path Disclosure in the calendar.

Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 13827 in /home/www/Devendea/calphalon/explore.php on line 69

 

Includes Directory:

http://www.dennisbillings.com/login/

 

Null User:

You can register a null username.

 

SQL Injection:

http://www.dennisbillings.com/adminquoteeditor.php?id=1 AND 1=1

http://www.dennisbillings.com/adminquoteeditor.php?id=1 AND 1=2

 

User Enumeration:

http://www.dennisbillings.com/~admin

 

User Enumeration:

http://www.dennisbillings.com/~Devendea

 

User Enumeration:

http://www.dennisbillings.com/~root

[dbillings]

would php's strip tags be a good solution to stop cross site scripting?

[dbillings]

or htmlspecialchars

[dbillings]

I can block the full path disclosure by getting rid of my error reporting. I can stop the sql injections by creating better $_GET validation. I should use htmlspecialchars() on all my form data. How do I rid myself of the user enumeration problem and how did you give yourself admin privileges?

[dbillings]

I'm not sure if the admin privileges access was broken before you were working your magic or not.

[dbillings]

Updated EZ_login ver. 10.1.2007

 

Includes features: IP banning, users online display, Super_admins, 4 security levels with easy clickable adjustments. Demo version registers users with admin privilages. check it out at

 

http://www.dennisbillings.com//projects.php