Jump to content

Register and Login Security Hole/Vulnerability Test


Coreye

Recommended Posts

Hey,

 

Basically I need you guys to find any security holes or vulnerabilities you can in an open source user system that I have been working on with another person. Right now it's just registration and login.

 

Heres the demo link; http://www.scriptscribes.net/projects/us/user_system.php.

Username: demo

Password: demo

 

Also, if you would like to download the actual script itself to test the installation feature for holes and/or to view the code you can get it at http://us.scriptscribes.net/demo.zip or http://us.scriptscribes.net/demo.rar.

 

The script works best in FireFox.

 

Thanks,

Corey

Link to comment
Share on other sites

If I log in with username: Administrator and password:Administrator it says "logged in successfully...

 

Yeah that's the default account. It's not a bug. The admin account is for later use once we make the admin panel.

Link to comment
Share on other sites

Cross Site Scripting:

http://us.scriptscribes.net/_<marquee>vulnerable</marquee>

 

Full Path Disclosure:

http://www.scriptscribes.net/projects/us/user_system/modules/acp.php

Fatal error: Call to a member function get_info() on a non-object in /home/scriptsc/public_html/projects/us/user_system/modules/acp.php on line 2

 

User Enumeration

http://www.scriptscribes.net/~nobody

 

User Enumeration:

http://www.scriptscribes.net/~root

 

User Enumeration:

http://www.scriptscribes.net/~scriptsc

Link to comment
Share on other sites

Full Path Disclosure:

http://www.scriptscribes.net/projects/us/user_system/modules/acp.php

Fatal error: Call to a member function get_info() on a non-object in /home/scriptsc/public_html/projects/us/user_system/modules/acp.php on line 2

 

Cross Site Scripting:

http://us.scriptscribes.net/_<marquee>vulnerable

 

User Enumeration:

http://www.scriptscribes.net/~root/

 

User Enumeration:

http://www.scriptscribes.net/~scriptsc/

 

User Enumeration

http://www.scriptscribes.net/~nobody/

 

The full path disclosure for the acp is fixed. The cross site scripting flaw will be fixed once we add our new site and user enumeration will be fixed sometime tomorrow. Any one else find anymore security holes or vulnerabilities for the actual user system script it self?

 

Thanks,

Corey

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.