xsvcash Posted December 2, 2007 Share Posted December 2, 2007 I run a pay-to-signup type of site ( at http://xsvcash.com/ ) recently it seems that someone has been messing around with my files and i dont know what it is! i started reading about XSS (crosssite-scripting) but i dont have any idea on how to secure my scripts... i dont even know if XSS is the problem please help i need to find and fix these holes fast! Link to comment Share on other sites More sharing options...
Coreye Posted December 2, 2007 Share Posted December 2, 2007 Block this directory: http://xsvcash.com/pages/. Remove this http://xsvcash.com/test/ - Gives Pull Path Disclosures. Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Link to comment Share on other sites More sharing options...
agentsteal Posted December 2, 2007 Share Posted December 2, 2007 Array: http://www.xsvcash.com/test/register.php?r[] Cross Site Scripting: http://www.xsvcash.com/cgi-bin/gpte.cgi?page=User_Signup_Form&E_Mail=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.xsvcash.com/cgi-bin/gpte.cgi?page=User_Signup_Form&Referrer=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.xsvcash.com/cgi-bin/gpte.cgi.old?page=User_Signup_Form&E_Mail=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.xsvcash.com/cgi-bin/gpte.cgi.old?page=User_Signup_Form&Referrer=<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting on the Account Info page if your useragent contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Directory Transversal: http://www.xsvcash.com/cgi-bin/gptecntct.cgi?url=../cgi-bin/ Directory Transversal: http://www.xsvcash.com/cgi-bin/gptelogin.cgi?id=aaaaaa&pass=aaaaaa&op=0&ut=0&url=../ Directory Transversal: http://www.xsvcash.com/cgi-bin/gptemsg.cgi?url=../cgi-bin/ Full Path Disclosure: http://www.xsvcash.com/test/contact.php Fatal error: Call to undefined function limpiar() in /home/xsvcashc/public_html/test/contact.php on line 78 Full Path Disclosure: http://www.xsvcash.com/test/ Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/index.php on line 91 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/index.php on line 91 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/index.php on line 92 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/index.php on line 106 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/index.php on line 106 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/index.php on line 107 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/index.php on line 115 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/index.php on line 115 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/index.php on line 116 Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/index.php on line 140 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/index.php on line 140 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/index.php on line 141 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/index.php on line 151 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/index.php on line 151 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/index.php on line 152 Full Path Disclosure: http://www.xsvcash.com/test/advertise.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/advertise.php on line 456 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/advertise.php on line 456 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/advertise.php on line 457 - Setting up and displaying your link for adbux members to visit is fast and simple. - We charge $ per Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/advertise.php on line 468 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/advertise.php on line 468 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/advertise.php on line 469 Full Path Disclosure: http://www.xsvcash.com/test/config.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Full Path Disclosure: http://www.xsvcash.com/test/login.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/xsvcashc/public_html/test/config.php: in /home/xsvcashc/public_html/test/login.php on line 10 Warning: mysql_query() [function.mysql-query]: Access denied for user 'xsvcashc'@'localhost' (using password: NO) in /home/xsvcashc/public_html/test/login.php on line 25 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/xsvcashc/public_html/test/login.php on line 25 Access denied for user 'xsvcashc'@'localhost' (using password: NO) Full Path Disclosure: http://www.xsvcash.com/test/register.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Full Path Disclosure: http://www.xsvcash.com/test/surf.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'test'@'localhost' (using password: YES) in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/config.php on line 8 Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /home/xsvcashc/public_html/test/surf.php on line 231 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/xsvcashc/public_html/test/surf.php on line 232 Includes Directory: http://www.xsvcash.com/pages/ Insecure Cookie: You shouldn't put the password in the cookie. Insecure Cookie: You shouldn't put the username in the cookie. SQL Injection: http://www.xsvcash.com/cgi-bin/gptemsgbox.cgi?ut=0&msg=1 AND 1=1 http://www.xsvcash.com/cgi-bin/gptemsgbox.cgi?ut=0&msg=1 AND 1=2 SQL Injection: http://www.xsvcash.com/cgi-bin/gpte.cgi?page=EMail_Verification_Code_Sent'+and+'1'='1 http://www.xsvcash.com/cgi-bin/gpte.cgi?page=EMail_Verification_Code_Sent'+and+'1'='2 SQL Injection: http://www.xsvcash.com/cgi-bin/gpte.cgi.old?page=EMail_Verification_Code_Sent'+and+'1'='1 http://www.xsvcash.com/cgi-bin/gpte.cgi.old?page=EMail_Verification_Code_Sent'+and+'1'='2 URL Inclusion: http://www.xsvcash.com/cgi-bin/gptecntct.cgi?url=http://www.google.com/ URL Inclusion: http://www.xsvcash.com/cgi-bin/gptemsg.cgi?url=http://www.google.com/ URL Inclusion: http://www.xsvcash.com/cgi-bin/gptelogin.cgi?id=aaaaaa&pass=aaaaaa&op=0&ut=0&url=http://www.google.com/ User Enumeration: http://www.xsvcash.com/~root User Enumeration: http://xsvcash.com/~xsvcashc You can log in as any user by setting the URL to their username and password. You shouldn't put the password in the URL. You shouldn't put the username in the URL. Link to comment Share on other sites More sharing options...
xsvcash Posted December 2, 2007 Author Share Posted December 2, 2007 thank you for finding those! but i have been reading more on xss and i dont see how someone could mess up a website with it ??? i know that you can use XSS to get a cookies, but people can only get their own cookies, so how would that be a threat? another thing, you guys were saying "Full Path Disclosure", is that a big security thing? also, what does "Directory Transversal", "URL Inclusion", "User Enumeration" and "Array" mean? and how could they be a threat? im sorry for sounding so stupid, but me and 3 other people coded this, so it never was really organized, but when the site started messing up i instantly though of security! thankss for the replies and please continue to help me out,, thank you so much Link to comment Share on other sites More sharing options...
helraizer Posted December 3, 2007 Share Posted December 3, 2007 That image can easily be read by a spam bot. You should add random noise to the image and a font, which will help stall, but not necessarily prevent spam bots. The spam bot reads your source and finds the image source, it can then analyse the image to get the string from it. A way to do it is, like this, for example; have the URL of the http://forum.dragonforce.com/profile.php?mode=confirm&id=289f85efb9cd2212e321ae23e2ec14b8 If you try to view the image with the &id=... it will not work, but with the &id=... it will. The spam bots tend to copy what's in the source and do not change them, therefore cannot view the image. Sam Link to comment Share on other sites More sharing options...
Recommended Posts