RavenStar Posted November 26, 2007 Share Posted November 26, 2007 I'm working on a new site for some friends, and I just want to know if there is any security leaks. Please check if you are able to gain access to anything and report it here. http://carnagestk.info Much appreciated, thanks~ Link to comment Share on other sites More sharing options...
agentsteal Posted November 26, 2007 Share Posted November 26, 2007 Includes Directory: http://www.carnagestk.info/admin/ Includes Directory: http://www.carnagestk.info/include/ Includes Directory: http://www.carnagestk.info/sql/ Link to comment Share on other sites More sharing options...
RavenStar Posted November 26, 2007 Author Share Posted November 26, 2007 Ok will do, thanks for that. How did you come across those directories? Just guessed? Anything else I should fix? Thank you kindly~ Link to comment Share on other sites More sharing options...
helraizer Posted November 26, 2007 Share Posted November 26, 2007 Just as a question. How do you register? You can't view any of the pages without a username, but you can't register therefore you can't get a username. Link to comment Share on other sites More sharing options...
RavenStar Posted November 26, 2007 Author Share Posted November 26, 2007 That's the whole point Accounts are created by admins then mailed to the user. Link to comment Share on other sites More sharing options...
Liquid Fire Posted November 26, 2007 Share Posted November 26, 2007 Ok will do, thanks for that. How did you come across those directories? Just guessed? Anything else I should fix? Thank you kindly~ My guess is he just guessed. admin and include folder are very common folder names for people to use. Link to comment Share on other sites More sharing options...
clanstyles Posted November 27, 2007 Share Posted November 27, 2007 rofl agent steel ftw1 Link to comment Share on other sites More sharing options...
Azu Posted November 29, 2007 Share Posted November 29, 2007 You should block this directory: http://www.carnagestk.info/include/ You should block this directory: http://www.carnagestk.info/sql/ You should block this directory: http://www.carnagestk.info/admin/ These are still not blocked yet.. Link to comment Share on other sites More sharing options...
gtal3x Posted November 30, 2007 Share Posted November 30, 2007 Possible SQL injection... i was playing with login, sometimes it would give me a blank page, sometimes only 1 field that was asking for username, no sql error however, u sould fix that Link to comment Share on other sites More sharing options...
php_tom Posted December 1, 2007 Share Posted December 1, 2007 You really need to block the /sql directory, its a big security hazard to let everybody know the whole structure of your SQL. Link to comment Share on other sites More sharing options...
temporary1 Posted December 7, 2007 Share Posted December 7, 2007 Hi. I was just looking to see if google index'ed carnagestk.info yet and was suprised to find this thread. The reason these folders haven't been blocked yet is because Ravenstar isn't the admin, I am. He just used you guys to look for flaws in my site. --carnagestk.info PS. They will be soon. Thanks for the help. Link to comment Share on other sites More sharing options...
gtal3x Posted December 7, 2007 Share Posted December 7, 2007 No Comments... Link to comment Share on other sites More sharing options...
Coreye Posted December 7, 2007 Share Posted December 7, 2007 Hi. I was just looking to see if google index'ed carnagestk.info yet and was suprised to find this thread. The reason these folders haven't been blocked yet is because Ravenstar isn't the admin, I am. He just used you guys to look for flaws in my site. --carnagestk.info PS. They will be soon. Thanks for the help. If you can prove carnagestk.info is yours, maybe by adding a page with "Hi PHPFreaks.com", then you could probably get RavenStar banned from these forums. - The idea of this forum is that you have finished your code, and now you wish for people to test it for weak spots, logic problems, etc.. Maybe they should have everyone who wants their website to get BETA testing have a page on their server saying something about PHPFreaks, that way we know it's their website. Link to comment Share on other sites More sharing options...
gtal3x Posted December 7, 2007 Share Posted December 7, 2007 Maybe they should have everyone who wants their website to get BETA testing have a page on their server saying something about PHPFreaks, that way we know it's their website. Completely agree. This is a second time i see this problem in 1 month! Link to comment Share on other sites More sharing options...
temporary1 Posted December 7, 2007 Share Posted December 7, 2007 When in Rome... here you go. http://carnagestk.info/ Damn you gtal3x for the sql injection suggestion btw. Link to comment Share on other sites More sharing options...
Coreye Posted December 7, 2007 Share Posted December 7, 2007 When in Rome... here you go. http://carnagestk.info/ Damn you gtal3x for the sql injection suggestion btw. You didn't have to add it a page that you already had. You could of made a blank page like... http://carnagestk.info/hi.html Either way, your site got tested, no big flaws which was good, and the few flaws their were can now be fixed. Link to comment Share on other sites More sharing options...
Recommended Posts