helraizer Posted November 23, 2007 Share Posted November 23, 2007 Hi folks, I have a part of my site which I can use as a forum signature, or whatever. It is a dynamic image created in php and allows people to post a comment which appears on the image. www.helraizer.co.uk/mychatbox/test/ - not up quite yet - will be soon. Keep trying I have implimented fonts and colours in it to add interest.. Can people try and poke holes in it, offer me ideas of new implimentations or improvements. Thanks, Sam Link to comment Share on other sites More sharing options...
agentsteal Posted November 23, 2007 Share Posted November 23, 2007 Admin Access: Anyone can access the admin panel. Admin Access: If you add .php in the admin panel as a valid file upload extension you can upload PHP scripts. Cross Site Scripting: http://www.helraizer.co.uk/test/index.cgi?mode=album&album=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.helraizer.co.uk/test/index.cgi?mode=image&album=/Sample%20Album&image=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.helraizer.co.uk/test/index.cgi?mode=search&searchstring="><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if your username contains ">code. Drop Down Menu: If you edit the drop down menu on http://www.helraizer.co.uk/test/index.cgi?mode=album&album=%2FSample+Album you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.helraizer.co.uk/test/index.cgi?mode=image&album=%2FSample+Album&image=Orange+Flower.jpg you can submit arbitrary values. Maximum Length: If you edit the message field you can remove the maximum length. Maximum Length: If you edit the username field you can remove the maximum length. Link to comment Share on other sites More sharing options...
helraizer Posted November 23, 2007 Author Share Posted November 23, 2007 serious problem: Unblocked Admin Panel: http://www.helraizer.co.uk/test/admin/ that's a completely different part of my site that I don't use You may have broken it but it's obsolete anyway. Oh bollocks I got slightly pwned. As I said in my original post the /mychatbox is up and running but /mychatbox/test isn't yet. SQL injection won't work because I don't use a database. Link to comment Share on other sites More sharing options...
helraizer Posted November 23, 2007 Author Share Posted November 23, 2007 Sorry for the double post. Anywho, the test version of the mychatbox site isn't working, so I'll do that when I get home. You can test www.helraizer.co.uk/mychatbox/ if you wish. The fact that there is no database involved means SQL injection isn't a problem. Also cookie theft isn't all too possible either since I don't use cookies The XSS problem in the fields; is that merely the '>' character followed by code, can someone explain that to me? Sam Link to comment Share on other sites More sharing options...
helraizer Posted November 23, 2007 Author Share Posted November 23, 2007 The XSS problem in the fields; is that merely the '>' character followed by code, can someone explain that to me? If you send a message and refresh the page a couple times, the username field has your username in it. Here it is in the source code: <input style="background-color:#1B1B1B; color:#FFFFFF;" id="username" type="text" name="username" onKeyUp="countdown(username, 10, used)" maxlength="10" size="10" value="agentsteal" /> So if you send a message with "><code> as your username, the "> closes the tag and the code runs on the page. <input value=""><code> " /> Yes.. I see what you mean. But how do you post values longer than the maximum length? Link to comment Share on other sites More sharing options...
helraizer Posted November 23, 2007 Author Share Posted November 23, 2007 I've fixed it and thus stopped any attempts at XSS - ' " > & < characters in the username now gets converted to html characters and then decoded when they go into the image. So it should make the ' " < > & characters appear as they are in both the username field and the image. However in the source it turns them to their html codes so ' " < > &. Any other holes in it that people can find? Link to comment Share on other sites More sharing options...
helraizer Posted November 23, 2007 Author Share Posted November 23, 2007 But how do you post values longer than the maximum length? I sent a POST request to the script with the username and message set to really long values. After the values are posted, you should check to make sure they are within the maximum lengths. Ah ok. Would you possibly be able to tell me how you send the false POST request? I will probably have a solution to it, but I need to know how to do that in order to test it. Enlighten me on how? Thanks for your help, Sam Link to comment Share on other sites More sharing options...
helraizer Posted November 25, 2007 Author Share Posted November 25, 2007 Fixed it. Now every username can only be 10 characters and messages can only be 75 characters. Anything over that is truncated to those lengths. Any other holes that people can find? Link to comment Share on other sites More sharing options...
Recommended Posts