eXeCuTeR Posted November 28, 2007 Share Posted November 28, 2007 toxic.local-host.co.il I secured this forum. Try to hack it. Link to comment Share on other sites More sharing options...
Coreye Posted November 28, 2007 Share Posted November 28, 2007 Full Path Disclosure when you visit toxic.local-host.co.il. Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 94 Link to comment Share on other sites More sharing options...
helraizer Posted November 28, 2007 Share Posted November 28, 2007 Dude, something happened there. ]http://toxic.local-host.co.il/index.php?act[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 343 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 346 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 354 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 362 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 370 Warning: Illegal offset type in /home/toxic14/domains/toxic.local-host.co.il/public_html/index.php on line 370 Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 28, 2007 Author Share Posted November 28, 2007 It's alright now, I tested some stuff. Link to comment Share on other sites More sharing options...
helraizer Posted November 28, 2007 Share Posted November 28, 2007 It's alright now, I tested some stuff. http://toxic.local-host.co.il/index.php?act[] - copy and paste that into your browser - it still comes up with the errors. Sam Link to comment Share on other sites More sharing options...
agentsteal Posted November 28, 2007 Share Posted November 28, 2007 Full Path Disclosure: http://toxic.local-host.co.il/index.php?a[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 353 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 356 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 364 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 372 Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 380 Warning: Illegal offset type in /home/toxic14/domains/toxic.local-host.co.il/public_html/index.php on line 370 Link to comment Share on other sites More sharing options...
Azu Posted November 29, 2007 Share Posted November 29, 2007 Don't even need the /index.php lol toxic.local-host.co.il?a[] And in case you don't know why stuff like this is a problem.. well at the very least it's buggy/annoying, and it could potentially be a huge security problem. It's immediately obvious from the errors that your username is probably toxic14.. or maybe genosecurity. Knowing this will make a brute force login attack much easier/faster, for starters. Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 29, 2007 Author Share Posted November 29, 2007 How could I secure this? Link to comment Share on other sites More sharing options...
helraizer Posted November 29, 2007 Share Posted November 29, 2007 How could I secure this? A code I made and therefore use is: <?php if (stristr($_SERVER['PHP_SELF'], "'") || stristr($_SERVER['PHP_SELF'], '"') || stristr($_SERVER['PHP_SELF'], '<') || stristr($_SERVER['PHP_SELF'], '>') || stristr($_SERVER['PHP_SELF'], '/')) { echo "No XSS today, thank you"; //or any other message ?> That stops anyone from adding XSS to the $_GET variables in the URL of the site. Sam Link to comment Share on other sites More sharing options...
anujgarg Posted November 30, 2007 Share Posted November 30, 2007 helraizer, where should one paste this code, means, in which file and folder... Anuj Link to comment Share on other sites More sharing options...
helraizer Posted November 30, 2007 Share Posted November 30, 2007 helraizer, where should one paste this code, means, in which file and folder... Anuj That would go in the page that you have the $_GET variables in. So if it's index.php?a[] then the code would go in index.php if it's search.php?q[] then the code would go in search.php Sam Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 30, 2007 Author Share Posted November 30, 2007 Please close this thread, thanks. I removed the security. Link to comment Share on other sites More sharing options...
helraizer Posted November 30, 2007 Share Posted November 30, 2007 Getting there but there is still one error. Warning: Illegal offset type in /home/toxic14/domains/toxic.local-host.co.il/public_html/index.php on line 370 That's on http://toxic.local-host.co.il/index.php?act[] Sam Link to comment Share on other sites More sharing options...
Recommended Posts