Looking for someone to test old forum.

[Demonic]

Well yeah some kids like this old sloppy coded forum so I'll just patch what ever I can until Summer 08 when I estimate when my new forum will be released in PHP 5 OOP.

 

https://sourceforge.net/projects/nevuxab

 

Download, run the installer.php, chmod config.php to 0777 if necessary.

 

Post all the vulns that you find so I can patch.

[Demonic]

-.- if you don't really want to install please least use my test board:

 

http://youcade.net/nab/index.php

[Coreye]

Hey,

 

The captcha on the registration page doesn't seem to be working.

[Demonic]

Okay Thanks, I'll check it out now.

 

Something is up with this free hosting, check here: http://nab.geekrack.net.  Thanks.

[Coreye]

Banned!

Hacking Logged.

You are attempting to hack this BB you are now logged and banned until further notice!

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/youcade/public_html/nab/classes/template.php

Doesn't actually ban you.

 

http://youcade.net/nab/index.php?act=viewforum&id=1%20UNION%20ALL%20SELECT%20null,null,null,null,null,null,null,null%20FROM%20blah

On Line: 7 In file: /home/youcade/public_html/nab/classes/template.php

[agentsteal]

CAPTCHA:

The CAPTCHA never changes.

 

Cross Site Scripting:

There is Cross Site Scripting on http://nab.geekrack.net/ip.php if the ip address field contains code.

 

Full Path Disclosure:

http://www.youcade.net/nab/index.php?act=newtopic

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/youcade/public_html/nab/classes/template.php

 

Full Path Disclosure:

http://www.youcade.net/nab/index.php?act=topicshow&id=a

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/youcade/public_html/nab/classes/template.php

 

Full Path Disclosure:

http://www.youcade.net/nab/index.php?act=viewforum

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/youcade/public_html/nab/classes/template.php

 

SQL Error:

http://nab.geekrack.net/index.php?act=viewforum&id=1&p=a

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-7,7' at line 1

 

User Enumeration:

http://www.youcade.net/~root

 

User Enumeration:

http://www.youcade.net/~youcade

[Coreye]

Still can't register. Just says

Your verification characters were incorrect. Please go back and try again. If you can't see the characters, refresh else contact the administrator.

 

 

http://nab.geekrack.net/index.php?act=viewforum&id=4&p='

http://nab.geekrack.net/index.php?act=viewforum&id=4&p=00

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-7,7' at line 1

 

http://nab.geekrack.net/index.php?act=viewforum&id=b

Banned!

Hacking Logged.

You are attempting to hack this BB you are now logged and banned until further notice!

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/nab/public_html/classes/template.php

[Demonic]

Still can't register. Just says

 

I can reg fine O-o..

 

Banned!

Hacking Logged.

You are attempting to hack this BB you are now logged and banned until further notice!

The file "/templates/footer.tpl" doesn't exist.

On Line: 7 In file: /home/nab/public_html/classes/template.php

 

Forgot to remove that error.

 

 

User Enumeration:

http://www.youcade.net/~root

 

User Enumeration:

http://www.youcade.net/~youcade

 

What exactly is user enumeration?  because all sites does that for me...

[Coreye]

Is it just me or are all the captchas the same? 6JFK and 6JFKW8. Maybe I need to clear my cache.

[Demonic]

Not the same for me  ???

[Demonic]

youcade.net is on nab.geekrack.net:

http://nab.geekrack.net/styles/pro/

 

lol..no its not, check whois.  And captcha isn't always the same..

 

maybe the captcha is always that same O_o, going to rewrite me one.

[Demonic]

Okay Fixed all them errors besides the captcha.

[Coreye]

Add an index. http://nab.geekrack.net/functions/

[Demonic]

Add an index. http://nab.geekrack.net/functions/

 

Yeah will do.

[Coreye]

Add index. http://nab.geekrack.net/sources/admin/

[Demonic]

Thanks, done.

[Coreye]

Not sure if this works... but shouldn't be accessible. http://nab.geekrack.net/ip.php.

[Demonic]

oh snap rofl.. that was test code .

 

<?php
if(!isset($_POST['p']))
{
	echo
	("
		<form method='post' action=''>
			<textarea name='ip'></textarea><br />
			<input type='submit' name='p' value='Ban IPs' />
		</form>
	");
}
else
{
	$ips = split("\n",$_POST['ip']);
	foreach($ips as $ip)
	{
		echo "$ip <br />";
	}
}
?>

[Demonic]

http://nab.geekrack.net/ip.php is vulnerable to Cross Site Scripting if you submit code in the ip address field.

 

rofl, not its not, that was just some extra test code left on the server..(plus there isn't even a action..)[imma delete the file..]

[Coreye]

This was in a file.

 

Domain: nab.geekrack.net

| Ip: 74.53.139.226 

| HasCgi: y

| UserName: removed

| PassWord: removed

| CpanelMod: x3

| HomeRoot: /home

| Quota: 100 Meg

| NameServer1: srv1.geekrack.net

| NameServer2: srv2.geekrack.net

| NameServer3:

| NameServer4:

| Contact Email: scheols@gmail.com

[Demonic]

really wth

 

edit; pm me details.

 

thanks though ...

[Demonic]

Think I'm about to release nab 1.4.5.  Thanks guys, if you find any more vulns and what not let me know.

 

1.4.5 can be downloaded here: https://sourceforge.net/project/showfiles.php?group_id=209549

[Coreye]

Nothing big really... But you can see board titles you don't have access to. http://nab.geekrack.net/index.php?act=viewforum&id=2.

» Index » NAB 2.0

[Demonic]

Nothing big really... But you can see board titles you don't have access to. http://nab.geekrack.net/index.php?act=viewforum&id=2.

» Index » NAB 2.0

 

I might disable it, thanks for pointing it out though.

[Coreye]

Same thing with posts.

» Index » NAB 2.0 » Plan Release of Nevux AB 2.0