drewbee Posted September 25, 2007 Share Posted September 25, 2007 Hello everyone, I am creating a freelance marketplace so to speak. I need testers to run through the processes and verify things are working correctly. (Post Projects, XSS, Injection etc). Whatever your heart desires. The process starts out with registration / account validation and then requiring a correct password. One of the main points that I need tested is the paypal account funding. If you wish to test this, go to control panel -> Add Funds or to withdraw them control panel -> Withdraw funds. If any money is transfered in and for some reason the system doesn't work, fails, or rejects it. Please let me know so I can directly send it back through paypal. As well, just play with the site and break stuff! Oh, I almost forgot, in order to post a project it is a 5.00 fee (which is refunded after project close). To try and stay with the system I would like a few people to test this. As stated before, if something happens, please let me know so I can get your money back to you. http://www.freelancebazar.com Link to comment Share on other sites More sharing options...
drewbee Posted September 25, 2007 Author Share Posted September 25, 2007 Items I need to add before site goes completely live: - ability for user to upload files for projects within project boards - add sitemap.html file Link to comment Share on other sites More sharing options...
drewbee Posted September 25, 2007 Author Share Posted September 25, 2007 Oh, user enumeration. How does one go about preventing this? I have looked around the internet and have come up with nothing. Link to comment Share on other sites More sharing options...
agentsteal Posted September 25, 2007 Share Posted September 25, 2007 Cross Site Scripting: There is Cross Site Scripting on http://www.freelancebazar.com/contact.html if you submit code in the fields. Drop Down Menu: If you edit the drop down menus on the Post Project page you can submit arbitrary values. Full Path Disclosure: http://www.freelancebazar.com/includes/classes/controlpanel.class.php Fatal error: Class 'Page' not found in /home/freelan2/public_html/includes/classes/controlpanel.class.php on line 2 Full Path Disclosure: http://www.freelancebazar.com/includes/classes/projects.class.php Fatal error: Class 'Page' not found in /home/freelan2/public_html/includes/classes/projects.class.php on line 2 Full Path Disclosure: http://www.freelancebazar.com/includes/classes/register.class.php Fatal error: Class 'Page' not found in /home/freelan2/public_html/includes/classes/register.class.php on line 2 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/cp_escrow_provider_showproject.form.php Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/cp_escrow_provider_showproject.form.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/cp_escrow_provider_showproject.form.php on line 15 Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/forms/cp_escrow_provider_showproject.form.php on line 17 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/cp_projects_bids.form.php Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/forms/cp_projects_bids.form.php on line 16 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/project_all_category.form.php Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/project_all_category.form.php on line 4 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/project_all_category.form.php on line 4 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/freelan2/public_html/includes/forms/project_all_category.form.php on line 5 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/projects_bid.form.php Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/forms/projects_bid.form.php on line 7 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/projects_clarification_board.form.php Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 16 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 16 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 17 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 17 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 20 Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/forms/projects_clarification_board.form.php on line 72 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/project_category.form.php Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/project_category.form.php on line 10 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/project_category.form.php on line 10 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/project_category.form.php on line 14 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/project_category.form.php on line 14 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/freelan2/public_html/includes/forms/project_category.form.php on line 16 Full Path Disclosure: http://www.freelancebazar.com/includes/forms/user_comments.form.php Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 15 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 17 Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/forms/user_comments.form.php on line 107 Full Path Disclosure: http://www.freelancebazar.com/includes/html/html.php Fatal error: Using $this when not in object context in /home/freelan2/public_html/includes/html/html.php on line 5 Includes Directory: http://www.freelancebazar.com/includes/ User Enumeration: http://www.freelancebazar.com/~freelan2 User Enumeration: http://www.freelancebazar.com/~root Link to comment Share on other sites More sharing options...
sneamia Posted September 26, 2007 Share Posted September 26, 2007 I know this is a tad offtopic, but did you purposefully spell it 'bazar' as opposed to 'bazaar'? It looks really weird. Link to comment Share on other sites More sharing options...
drewbee Posted September 26, 2007 Author Share Posted September 26, 2007 Yeah. I spelled it incorrectly to give it its own kind of name rather then pulling straight dictionary words out. If anything, I can always redirect the correctly spelling to it. Link to comment Share on other sites More sharing options...
drewbee Posted September 26, 2007 Author Share Posted September 26, 2007 Ok Agent. That should keep you out of the includes folder. Fixed contact.html(Thats what I get for writing code too quickly). Fixed XSS injection from registration email. Fixed project (editing form and submitting) issue. I will need to take a look around at any other drop downs I have. can't really say I validated the majority of them. Thanks for the 232 emails from the contact form btw lol. What tool do you use to do all this checking? Link to comment Share on other sites More sharing options...
Recommended Posts