mattal999 Posted October 17, 2007 Share Posted October 17, 2007 Hi, Can you BETA test the site: http://www.games4uonline.com/sites/ please? and Please Dont Waste Bandwidth... Thanks Link to comment Share on other sites More sharing options...
kathas Posted October 17, 2007 Share Posted October 17, 2007 Tried to register as ' with pass ' and full path disclosure plus many other things like i can't think of what would userpwd.txt hold...? (too bad permission is denied...) Warning: fopen(userpwd.txt) [function.fopen]: failed to open stream: Permission denied in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 11 Warning: rewind(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 12 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 and kept coming... on lines 14 - 15 Link to comment Share on other sites More sharing options...
agentsteal Posted October 17, 2007 Share Posted October 17, 2007 Admin Access: You can view and edit the site's source code through the Directory Transversal. Array: http://www.games4uonline.com/sites/write.php?file[] Array: http://www.games4uonline.com/sites/writenew.php?file[] Cross Site Scripting: There is Cross Site Scripting if the File Name field on http://www.games4uonline.com/sites/new.php contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.games4uonline.com/sites/upload/flash_upload.php if the folder field contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.games4uonline.com/sites/upload/flash_upload.php if the myFile3 field contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.games4uonline.com/sites/upload/flash_upload.php if the submit field contains code. Cross Site Scripting: http://www.games4uonline.com/sites/writenew.php?file='><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting There is Cross Site Scripting if the Folder Name field on http://www.games4uonline.com/sites/newfolder.php contains code. Cross Site Scripting: There is Cross Site Scripting if your username contains code. Directory Transversal: http://www.games4uonline.com/sites/new.php?folder=../ Directory Transversal: http://www.games4uonline.com/sites/newfolder.php?folder=../ Directory Transversal: http://www.games4uonline.com/sites/writenew.php?file=../index.html Directory Transversal You can make folders in any directory by registering with the username set to ../filename. DOS: There is a DOS when you register. Full Path Disclosure: http://www.games4uonline.com/sites/login/register2.php Warning: fopen(userpwd.txt) [function.fopen]: failed to open stream: Permission denied in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 11 Warning: rewind(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 12 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 Warning: fclose(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 32 Warning: mkdir(../) [function.mkdir]: File exists in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 34 Warning: chmod() [function.chmod]: Operation not permitted in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 35 Full Path Disclosure: http://www.games4uonline.com/sites/write.php Warning: fopen(/home/users/uks51756/html/games4uonline.com/sites//) [function.fopen]: failed to open stream: Is a directory in /home/users/uks51756/html/games4uonline.com/sites/write.php on line 17 Warning: chmod() [function.chmod]: Operation not permitted in /home/users/uks51756/html/games4uonline.com/sites/write.php on line 18 Warning: fwrite(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/write.php on line 20 Warning: chmod() [function.chmod]: Operation not permitted in /home/users/uks51756/html/games4uonline.com/sites/write.php on line 21 Warning: Cannot modify header information - headers already sent by (output started at /home/users/uks51756/html/games4uonline.com/sites/write.php:17) in /home/users/uks51756/html/games4uonline.com/sites/write.php on line 23 Full Path Disclosure: http://www.games4uonline.com/sites/writenew.php?file=a Warning: file_get_contents(/home/users/uks51756/html/games4uonline.com/sites//a) [function.file-get-contents]: failed to open stream: No such file or directory in /home/users/uks51756/html/games4uonline.com/sites/writenew.php on line 8 Full Path Disclosure: There is Full Path Disclosure when you register. Warning: fopen(userpwd.txt) [function.fopen]: failed to open stream: Permission denied in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 11 Warning: rewind(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 12 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 Full Path Disclosure: There is Full Path Disclosure when you register if you submit a null username. Warning: fopen(userpwd.txt) [function.fopen]: failed to open stream: Permission denied in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 11 Warning: rewind(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 12 Warning: feof(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 14 Warning: fgets(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 15 Warning: fclose(): supplied argument is not a valid stream resource in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 32 Warning: mkdir(../) [function.mkdir]: File exists in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 34 Warning: chmod() [function.chmod]: Operation not permitted in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 35 Full Path Disclosure: There is Full Path Disclosure when you register if your username has already been registered. Warning: mkdir(../agentsteal) [function.mkdir]: File exists in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 34 Full Path Disclosure: There is Full Path Disclosure when you register if your username is the name of a folder. Warning: mkdir(../login) [function.mkdir]: File exists in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 34 Warning: chmod() [function.chmod]: Operation not permitted in /home/users/uks51756/html/games4uonline.com/sites/login/common.php on line 35 Includes Directory: http://www.games4uonline.com/sites/login/ Insecure Cookie: You shouldn't put the ip address in the cookie. There is a list of usernames and passwords: http://www.games4uonline.com/sites/login/userpwd.txt You can make files and folders on the site. http://www.games4uonline.com/sites/files.php POC: http://www.games4uonline.com/sites/agentsteal.html You can make folders on the site by registering with the username set to the filename. You can edit files on the site. http://www.games4uonline.com/sites/writenew.php?file=index.htm Link to comment Share on other sites More sharing options...
mattal999 Posted October 18, 2007 Author Share Posted October 18, 2007 yea, those last 4 errors could be the biggest problem, people defacing my site... alrite ill update and tell u when to try again. Link to comment Share on other sites More sharing options...
mattal999 Posted October 18, 2007 Author Share Posted October 18, 2007 how could you edit this script to make it so it would only let the users folder be edited, and nowhere else? <?php error_reporting(0); session_start(); $user = $_SESSION['userName']; $file = $_POST['file']; $CurDir = dirname(__FILE__); if($_POST['folder'] != '') { $user = $user . '/' . $_POST['folder']; } else { $user = $user; } $NewDir = "$CurDir/$user"; $filepath = $NewDir."/".$file; if (!file_exists($NewDir) && !is_dir($NewDir) ) mkdir($NewDir, 0755); if( is_dir($NewDir) ) { if (is_writable($NewDir)) { if($_POST['folder'] != '') { $folder = $_POST['folder']; } else { $folder = ''; } if (!$handle = fopen($filepath, 'x+')) { echo "<center><font face='verdana' size='2'>The file $file already exists, edit it <a href='writenew.php?file=" . $folder . "" . $file . "' style='border-bottom: dotted #000000 1px; text-decoration: none;'><font color='000000'>here</a>"; exit; } echo "<center><font face='verdana' size='2'>Success, made a new file $file, edit it <a href='writenew.php?file=" . $folder . "" . $file . "' style='border-bottom: dotted #000000 1px; text-decoration: none;'><font color='000000'>here</a>"; fclose($handle); } else { echo "<center><font face='verdana' size='2'>The file $file could not be made"; } } ?> thanks Link to comment Share on other sites More sharing options...
mattal999 Posted October 18, 2007 Author Share Posted October 18, 2007 alright try register now with ../hi in the username, it wont work Link to comment Share on other sites More sharing options...
mattal999 Posted October 18, 2007 Author Share Posted October 18, 2007 omfg my internet laggin like mad! my pages wont even load!!! can you tell me if the errors go now? Link to comment Share on other sites More sharing options...
mattal999 Posted October 19, 2007 Author Share Posted October 19, 2007 yea, im trying not to use a mysql database... any other errors? Link to comment Share on other sites More sharing options...
Recommended Posts