thewooleymammoth Posted October 8, 2007 Share Posted October 8, 2007 help me out and mess my site up if you can, (tell me how you did). for those of you who helped last time. not all of those issues were fixed completely but are far more secure. thanks http://www.getyourlinkon.net Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/ Share on other sites More sharing options...
php_tom Posted October 8, 2007 Share Posted October 8, 2007 Hehehehe... You might disable javascript in the links.... Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364295 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 how do i disable java script? Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364307 Share on other sites More sharing options...
agentsteal Posted October 8, 2007 Share Posted October 8, 2007 Array: http://www.getyourlinkon.net/member.php?user[] Array: http://www.getyourlinkon.net/viewrequest.php?title[] Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting on the Links page if the fields contain 'code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. Directory Transversal: http://www.getyourlinkon.net/member.php?user=../request/agentsteal Directory Transversal: You can make txt files in any directory by registering with the username set to ../filename. Directory Transversal: You can make txt files in any directory by requesting a link with the title set to ../filename. Full Path Disclosure: http://www.getyourlinkon.net/test.php Fatal error: Call to undefined function: scandir() in /homepages/8/d218498496/htdocs/test.php on line 3 Insecure Cookie: You shouldn't put the username in the cookie. You can log in as any user by setting the auth cookie to their username. You can make txt files in http://www.getyourlinkon.net/members/ by registering with the username set to the filename. You can make txt files in http://www.getyourlinkon.net/request/ by requesting a link with the title set to the filename. Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364310 Share on other sites More sharing options...
php_tom Posted October 8, 2007 Share Posted October 8, 2007 how do i disable java script? Easiest thing might be to check the URL when the user submits it. Something like: <?php if(@file_get_contents("http://theURLtheyEntered.com")!="") echo "OK!"; else echo "BAD!"; ?> Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364326 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 how do i disable java script? Easiest thing might be to check the URL when the user submits it. Something like: <?php if(@file_get_contents("http://theURLtheyEntered.com")!="") echo "OK!"; else echo "BAD!"; ?> oh so what that does is checks to see if the page they submitted exists...? wow thats a good idea. thanks Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364339 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 Array: http://www.getyourlinkon.net/viewrequest.php?title[] There is Cross Site Scripting on the members page if you register with a space in the username. you cant register with a space in the name? Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364364 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 wait i dont see how you guys do anything of these things besides the javascript one. i cant duplicate any of them Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364366 Share on other sites More sharing options...
php_tom Posted October 8, 2007 Share Posted October 8, 2007 how do i disable java script? Easiest thing might be to check the URL when the user submits it. Something like: <?php if(@file_get_contents("http://theURLtheyEntered.com")!="") echo "OK!"; else echo "BAD!"; ?> Great, except that now if the link doesn't exist, it adds a blank link to the list. You should probably fix that. oh so what that does is checks to see if the page they submitted exists...? wow thats a good idea. thanks Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364755 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 k thanks Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364766 Share on other sites More sharing options...
thewooleymammoth Posted October 8, 2007 Author Share Posted October 8, 2007 got it. ima leave this open for a few more days, thanks. Link to comment https://forums.phpfreaks.com/topic/72243-solved-sites-up-and-ready-for-security-test-two/#findComment-364776 Share on other sites More sharing options...
Recommended Posts