[SOLVED] my shoutbox script

[scarhand]

http://diondesign.net/shoutboxer/iframe.html

 

it is a php/ajax/mysql shoutbox script that is fully customizable

 

please test for security bugs and other flaws

 

if anyone wants to volunteer for testing out the admin control panel please say so in a reply and i will PM you the admin password.

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting in the messages if the name contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if the namecookie cookie contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin panel if the Maximum name length field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the shoutbox if the Maximum name length field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin panel if the Number of shouts to display field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin panel if the Maximum shout length field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the shoutbox the Maximum shout length field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the admin panel if the Add a space in words longer than (chars) field contains ">code.

 

There is Cross Site Scripting in the admin panel if the Main text color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Main text color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Main text font family field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Main text font family field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Main text font size (pt) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Main text font size (pt) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Shoutboxer border color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Shoutboxer border color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Shoutboxer border size (px) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Shoutboxer border size (px) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Header writing field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Header writing field contains code.

 

There is Cross Site Scripting in the admin panel if the Header background color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Header background color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Header text color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Header text color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Shout button value field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Shout button value field contains ">code.

 

There is Cross Site Scripting in the admin panel if the Main form background color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Main form background color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Form input background color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Form input background color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Form input border color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Form input border color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Form input border size (px) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Form input border size (px) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Form input text color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Form input text color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the First shout row background color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the First shout row background color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Alternating shout row background color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Alternating shout row background color (hex) field contains </style>code.

 

There is Cross Site Scripting in the admin panel if the Ban notification text color (hex) field contains ">code.

 

There is Cross Site Scripting in the shoutbox if the Ban notification text color (hex) field contains </style>code.

 

Cross Site Scripting:

There is Cross Site Scripting if the Sort by drop down menus contain code.

 

Cross Site Scripting:

There is Cross Site Scripting if the Sort by drop down menus contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting if the Shouts per page field contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if you ban a word that contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if you ban an ip address that contains code.

 

Drop Down Menu:

If you edit the Order drop down menu you can submit arbitrary values.

 

Drop Down Menu:

If you edit the Sort by drop down menu you can submit arbitrary values.

 

Full Path Disclosure:

http://www.diondesign.net/index.php?p=contact

Fatal error: Call to undefined function contactpage() in /home/kjdion/public_html/index.php on line 210

 

Full Path Disclosure:

http://www.diondesign.net/index.php?p=images

Fatal error: Call to undefined function imagespage() in /home/kjdion/public_html/index.php on line 206

 

Full Path Disclosure:

http://www.diondesign.net/index.php?p=scripts

Fatal error: Call to undefined function scriptspage() in /home/kjdion/public_html/index.php on line 198

 

Full Path Disclosure:

http://www.diondesign.net/index.php?p=services

Fatal error: Call to undefined function servicespage() in /home/kjdion/public_html/index.php on line 194

 

Full Path Disclosure:

http://www.diondesign.net/index.php?p=websites

Fatal error: Call to undefined function websitespage() in /home/kjdion/public_html/index.php on line 202

 

Full Path Disclosure:

http://www.diondesign.net/shoutboxer/sbxr_get.php

Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 11

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 11

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 13

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 20

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 20

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 23

 

Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 91

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 91

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 98

There are currently no shouts in the database to display

 

Full Path Disclosure:

http://www.diondesign.net/shoutboxer/sbxr_send.php

Warning: preg_replace() [function.preg-replace]: Empty regular expression in /home/kjdion/public_html/shoutboxer/sbxr_send.php on line 6

 

Warning: preg_replace() [function.preg-replace]: Empty regular expression in /home/kjdion/public_html/shoutboxer/sbxr_send.php on line 8

 

Warning: Cannot modify header information - headers already sent by (output started at /home/kjdion/public_html/shoutboxer/sbxr_send.php:6) in /home/kjdion/public_html/shoutboxer/sbxr_send.php on line 13

 

Full Path Disclosure:

There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value.

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/kjdion/public_html/shoutboxer/admin/index.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/kjdion/public_html/shoutboxer/admin/index.php:2) in /home/kjdion/public_html/shoutboxer/admin/index.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/kjdion/public_html/shoutboxer/admin/index.php:2) in /home/kjdion/public_html/shoutboxer/admin/index.php on line 2

 

Full Path Disclosure:

There is Full Path Disclosure if the Number of shouts to display in the admin panel is set to an invalid value.

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/kjdion/public_html/shoutboxer/sbxr_get.php on line 98

 

Full Path Disclosure:

There is Full Path Disclosure if the Shouts per page field contains an invalid value.

Warning: Division by zero in /home/kjdion/public_html/shoutboxer/admin/index.php on line 903

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-0, \'' at line 1

 

Maximum Length:

If you edit the fields in the admin panel you can remove the maximum lengths.

 

Maximum Length:

If you edit the message field you can remove the maximum length.

 

Maximum Length:

If you edit the name field you can remove the maximum length.

 

SQL Error:

There is an SQL Error in the admin panel if there are no messages.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-25, 25' at line 1

 

SQL Error:

There is an SQL Error if the Order drop down menus contain an invalid value.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 0, 25' at line 1

 

SQL Error:

There is an SQL Error if the Sort by drop down menus contain an invalid value.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' asc LIMIT 0, 25' at line 1

 

User Enumeration:

http://www.diondesign.net/~kjdion

[XRayden]

wont work well with foreight language.

 

i've test this :

 

àéôï

 

output this :

 

ny ijnsdc: àéôï

 

 

[scarhand]

ok im working on fixing this stuff

[scarhand]

if anyone wants to volunteer for testing out the admin control panel please say so in a reply and i will PM you the admin password.

 

I can do it.

 

check your pm's

[scarhand]

I believe I have everything fixed except for this:

 

"if you set PHPSESSID in the cookie to an invalid value"

 

how do i fix this? i search google but no luck finding a solution

 

im guessing i have to create some sort of validation at the top of the page that checks whether or not is contains alphanumeric values and dashes or not?

[scarhand]

I believe I have fixed everything.

 

Can you go over and check everything out again and tell me if its all fixed?

 

Thank you.

[scarhand]

If you edit the name field you can submit a name that is longer than the maximum length.

 

If you edit the message field you can submit a message that is longer than the maximum length.

 

If you edit the input boxes in the admin panel you can submit values that are longer than the maximum length.

 

If you edit the "Sort by" drop down menu you can submit arbitrary values.

 

If you edit the "Order" drop down menu you can submit arbitrary values.

 

I dont know what you mean by this...how are you editing these fields even after I've made it so you cannot use XSS?

 

There is an SQL error if you submit an invalid value in the "Sort by" drop down menu.

 

There is an SQL error if you submit an invalid value in the "Order" drop down menu.

 

How are you submitting a value other than one you can select in the drop down menu?

 

I dont know how you're doing this stuff so its hard for me to fix it.

[scarhand]

I'm saving the pages to my computer and editing the forms to remove the maximum lengths and add values to the drop down menus.

 

You just blew my mind....lol....so you can download these files, change the values, then somehow post the data to my web site?

[scarhand]

nevermind im an idiot. lol.