thryb Posted October 19, 2007 Share Posted October 19, 2007 Can anyone test www.writebush.com we put it online but im not sure if its secure. See if there is any bugs/sql injection etc. Thanks Link to comment https://forums.phpfreaks.com/topic/73968-wwwwritebushcom/ Share on other sites More sharing options...
agentsteal Posted October 19, 2007 Share Posted October 19, 2007 Array: http://www.writebush.com/search.php?words[] Cross Site Scripting: http://www.writebush.com/search/"><marquee><h1>vulnerable</marquee> Full Path Disclosure: http://www.writebush.com/search.php?cmd[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/virtual/writebush.com/htdocs/search.php on line 210 Full Path Disclosure: http://www.writebush.com/search.php?words[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/virtual/writebush.com/htdocs/search.php on line 210 Full Path Disclosure: http://www.writebush.com/theletter.php?page Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /var/www/virtual/writebush.com/htdocs/theletter.php on line 231 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /var/www/virtual/writebush.com/htdocs/theletter.php on line 239 Full Path Disclosure: http://www.writebush.com/theletter.php?page[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/virtual/writebush.com/htdocs/theletter.php on line 219 Fatal error: Unsupported operand types in /var/www/virtual/writebush.com/htdocs/theletter.php on line 225 Link to comment https://forums.phpfreaks.com/topic/73968-wwwwritebushcom/#findComment-373331 Share on other sites More sharing options...
thryb Posted October 19, 2007 Author Share Posted October 19, 2007 how do you fix the path disclosure please? Link to comment https://forums.phpfreaks.com/topic/73968-wwwwritebushcom/#findComment-373410 Share on other sites More sharing options...
clanstyles Posted October 19, 2007 Share Posted October 19, 2007 can you also do something like if(!is_array($_GET ['parameter']) && isset($_GET ['parameter'])) { ECHO "FUN"; } Would that work also? Or is yours better? And why? Link to comment https://forums.phpfreaks.com/topic/73968-wwwwritebushcom/#findComment-373553 Share on other sites More sharing options...
thryb Posted October 19, 2007 Author Share Posted October 19, 2007 kk tx Agent, gonna fix this Link to comment https://forums.phpfreaks.com/topic/73968-wwwwritebushcom/#findComment-373589 Share on other sites More sharing options...
Recommended Posts