Jump to content

Recommended Posts

Hi,

 

I have a small page I am working on as a side project to test and set up pages for another site,

 

so  I guess here it goes, I would like to see if there are any openings in the login page, or any other page really  :P:

 

http://char.rev-ro.com/login.php (pretty simple)

 

and anything else you can come up with >.<

 

thanks

Link to comment
https://forums.phpfreaks.com/topic/79418-dont-these-get-old-security-check/
Share on other sites

ok, I just severely shut down the sites db privileges so my db is protected at least a little bit,

 

but if you would like to log in and mess with things

 

username: hackme

password: hackme

 

please, no indecent pictures  :D

 

I'm going to bed now  :P

Not really a big deal.. but you can put 10 spaces for the "Display Name" when editing it. You might want to disable that for this... someone will edit it and then we can't test it... lol

 

You can also do 9 spaces then 1 letter when editing the "Display Name" and on the members page it's just one letter even though you have a 10 letter minimum.

Cross Site Scripting:

http://char.rev-ro.com/img.php?"><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting in the avatars.

 

Cross Site Scripting:

There is Cross Site Scripting if the Player Bio field contains </textarea>code.

 

Cross Site Scripting:

There is Cross Site Scripting if the Expect header contains code.

 

Full Path Disclosure:

There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value.

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/www/char.rev-ro.com/cnf/cnf.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/www/char.rev-ro.com/cnf/cnf.php:2) in /home/www/char.rev-ro.com/cnf/cnf.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/www/char.rev-ro.com/cnf/cnf.php:2) in /home/www/char.rev-ro.com/cnf/cnf.php on line 2

There's a bug with how you're escaping input for display name. It adds a whole ton of backslashes one after another, and deletes things instead of escaping them..

 

Example; input

"'><;':"[]{}()*&^%$#@!~

 

Output

\"\'><;\':\"[]

 

Press submit again and..

\\\"\\\'><;\\\':\\\
etc.

Do NOT tell the user that the password is incorrect, or that the user name is incorrect or doesn't exit.

 

I recommend changing it to say something like:

"User Name or Password is Incorrect"

 

Done

 

Cross Site Scripting:

(In Internet Explorer)

http://char.rev-ro.com/img.php?"><marquee><h1>vulnerable</marquee>

 

Done (that's a strange one)

 

The "Display Name" says "Please enter more than 10 characters." but you can enter 4 characters. The "Player Bio" says "Please enter at lease ten characters." even if you enter more than 10 characters.

 

Sorry about that, fixed

 

The avatars are vulnerable to Cross Site Scripting in IE.

POC:

http://char.rev-ro.com/imgs/uimgs/acc/2000116.jpg

 

If you upload an avatar, then upload an avatar with a different image type, the first avatar isn't deleted.

 

Pretty sure thats fixed

 

Your site is vulnerable to Cross Site Scripting through the Expect header.

 

Not sure what that is

 

There is Cross Site Scripting if put </textarea>code in the "Player Bio" on the edit page.

 

Fixed

 

I will try to fix the others from work, and put a filter on what the display name can be, and on the bio

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.