newb Posted December 1, 2007 Share Posted December 1, 2007 http://www.oxyfactor.com/ Link to comment Share on other sites More sharing options...
agentsteal Posted December 1, 2007 Share Posted December 1, 2007 Array: http://www.oxyfactor.com/billing/index.php?action[] Array: http://www.oxyfactor.com/billing/index.php?fuse[] Array: http://www.oxyfactor.com/billing/index.php?view[] Cross Site Scripting: There is Cross Site Scripting on the Account Information page if the Coupon Code field contains ">code. Cross Site Scripting: There is Cross Site Scripting on the Account Information page if the Password field contains ">code. Cross Site Scripting: There is Cross Site Scripting on the Terms and Conditions when you register if the fields contain ">code. Directory Transversal: http://www.oxyfactor.com/index.php?page=about/../hosting DOS: http://www.oxyfactor.com/modules/forums/index.inc.php/ Drop Down Menu: If you edit the drop down menus on the registration page you can submit arbitrary values. Full Path Disclosure: http://www.oxyfactor.com/billing/index.php?action=a An error has occurred with the given operation Fuse: Action: a Type: User Error (256) Description: Action a does not exist Script: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php Line Number: 150 Stack: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php (150) : trigger_error /home/oxyfacto/public_html/billing/newedge/front.php (70) : ne_controller::processaction /home/oxyfacto/public_html/billing/index.php (3) : require Full Path Disclosure: http://www.oxyfactor.com/billing/index.php?fuse=admin&action=RequestPassword&ajaxRequest=1&emailToSend[] An error has occurred with the given operation Fuse: admin Action: RequestPassword Type: Warning (2) Description: htmlspecialchars() expects parameter 1 to be string, array given Script: /home/oxyfacto/public_html/billing/modules/admin/actions/RequestPassword.php Line Number: 19 Stack: /home/oxyfacto/public_html/billing/modules/admin/actions/RequestPassword.php (19) : htmlspecialchars /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php (158) : requestpassword::dispatch /home/oxyfacto/public_html/billing/newedge/front.php (70) : ne_controller::processaction /home/oxyfacto/public_html/billing/index.php (3) : require Full Path Disclosure: http://www.oxyfactor.com/billing/classes/MailGateway.php Fatal error: Class mailgateway: Cannot inherit from undefined class ne_model in /home/oxyfacto/public_html/billing/classes/MailGateway.php on line 10 Full Path Disclosure: http://www.oxyfactor.com/billing/modules/admin/actions/RequestPassword.php Warning: main(classes/MailGateway.php) [function.main]: failed to open stream: No such file or directory in /home/oxyfacto/public_html/billing/modules/admin/actions/RequestPassword.php on line 3 Fatal error: main() [function.require]: Failed opening required 'classes/MailGateway.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/oxyfacto/public_html/billing/modules/admin/actions/RequestPassword.php on line 3 Full Path Disclosure: http://www.oxyfactor.com/billing/index.php?view=a An error has occurred with the given operation Fuse: Action: Type: User Error (256) Description: View a does not exist Script: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php Line Number: 88 Stack: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php (88) : trigger_error /home/oxyfacto/public_html/billing/newedge/front.php (72) : ne_controller::processview /home/oxyfacto/public_html/billing/index.php (3) : require Includes Directory: http://www.oxyfactor.com/billing/templates/Raleigh/signup/ User Enumeration: http://www.oxyfactor.com/~nobody User Enumeration: http://www.oxyfactor.com/~oxyfacto User Enumeration: http://www.oxyfactor.com/~root Link to comment Share on other sites More sharing options...
newb Posted December 1, 2007 Author Share Posted December 1, 2007 o.o good finds. Link to comment Share on other sites More sharing options...
newb Posted December 1, 2007 Author Share Posted December 1, 2007 ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh gg lol. Link to comment Share on other sites More sharing options...
newb Posted December 1, 2007 Author Share Posted December 1, 2007 k fixed the DOS exploit (probably my biggest concern...) i dont know how i would go about fixing directory transversal thing...lol. anyway i dont think its much of a big deal as long as they cant include anythin outside the site. right? =p Link to comment Share on other sites More sharing options...
Coreye Posted December 2, 2007 Share Posted December 2, 2007 Full Path Disclosure: http://oxyfactor.com/billing/index.php?fuse=admin&view=' An error has occurred with the given operation Fuse: admin Action: Type: User Error (256) Description: View ' does not exist Script: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php Line Number: 88 Stack: /home/oxyfacto/public_html/billing/newedge/classes/NE_Controller.php (88) : trigger_error /home/oxyfacto/public_html/billing/newedge/front.php (72) : ne_controller::processview /home/oxyfacto/public_html/billing/index.php (3) : require Going to http://oxyfactor.com/billing/newedge/front.php redirects to this page; http://oxyfactor.com/billing/newedge/index.php?fuse=admin&view=Login, but gives this error. Not Found The requested URL /billing/newedge/index.php was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Link to comment Share on other sites More sharing options...
newb Posted December 2, 2007 Author Share Posted December 2, 2007 yeah. alot of full path disclosures. i fail 2 see how its much harm though lol. its only showing the obvious (that im in /home/ and my username is oxyfacto and i use public_html like everyone else?) :s. the request password doesnt work anyway, and if it did everythings md5 encrypted anyways so ppl wud just be getting md5 hashes. Link to comment Share on other sites More sharing options...
Recommended Posts