Coreye Posted November 5, 2007 Share Posted November 5, 2007 Hey, Basically I need you guys to find any security holes or vulnerabilities you can in an open source user system that I have been working on with another person. Right now it's just registration and login. Heres the demo link; http://www.scriptscribes.net/projects/us/user_system.php. Username: demo Password: demo Also, if you would like to download the actual script itself to test the installation feature for holes and/or to view the code you can get it at http://us.scriptscribes.net/demo.zip or http://us.scriptscribes.net/demo.rar. The script works best in FireFox. Thanks, Corey Link to comment Share on other sites More sharing options...
php_tom Posted November 5, 2007 Share Posted November 5, 2007 If I log in with username: Administrator and password:Administrator it says "logged in successfully... Link to comment Share on other sites More sharing options...
Coreye Posted November 5, 2007 Author Share Posted November 5, 2007 If I log in with username: Administrator and password:Administrator it says "logged in successfully... Yeah that's the default account. It's not a bug. The admin account is for later use once we make the admin panel. Link to comment Share on other sites More sharing options...
agentsteal Posted November 5, 2007 Share Posted November 5, 2007 Cross Site Scripting: http://us.scriptscribes.net/_<marquee>vulnerable</marquee> Full Path Disclosure: http://www.scriptscribes.net/projects/us/user_system/modules/acp.php Fatal error: Call to a member function get_info() on a non-object in /home/scriptsc/public_html/projects/us/user_system/modules/acp.php on line 2 User Enumeration http://www.scriptscribes.net/~nobody User Enumeration: http://www.scriptscribes.net/~root User Enumeration: http://www.scriptscribes.net/~scriptsc Link to comment Share on other sites More sharing options...
Coreye Posted November 6, 2007 Author Share Posted November 6, 2007 Full Path Disclosure: http://www.scriptscribes.net/projects/us/user_system/modules/acp.php Fatal error: Call to a member function get_info() on a non-object in /home/scriptsc/public_html/projects/us/user_system/modules/acp.php on line 2 Cross Site Scripting: http://us.scriptscribes.net/_<marquee>vulnerable User Enumeration: http://www.scriptscribes.net/~root/ User Enumeration: http://www.scriptscribes.net/~scriptsc/ User Enumeration http://www.scriptscribes.net/~nobody/ The full path disclosure for the acp is fixed. The cross site scripting flaw will be fixed once we add our new site and user enumeration will be fixed sometime tomorrow. Any one else find anymore security holes or vulnerabilities for the actual user system script it self? Thanks, Corey Link to comment Share on other sites More sharing options...
Recommended Posts