darkfreaks Posted December 5, 2007 Share Posted December 5, 2007 could someone look around for exploits? ive added sanitization to flush out SQL injection and XSS but i dont think i got it all could someone look? also an other bugs you find would you point them out. http://www.aviationrecruitment.co.uk/ -much appreciated Link to comment Share on other sites More sharing options...
therealwesfoster Posted December 5, 2007 Share Posted December 5, 2007 the registration doesnt work for me.. i get this Parse error: parse error, unexpected T_VARIABLE in /home/aviation/public_html/jobseekers/jobseeker_registration2.php on line 86 Link to comment Share on other sites More sharing options...
darkfreaks Posted December 5, 2007 Author Share Posted December 5, 2007 Fixed there was a missing semicolon after the mail statement anything else? Link to comment Share on other sites More sharing options...
therealwesfoster Posted December 5, 2007 Share Posted December 5, 2007 You should really validate the registration input..There are XSS holes within them. Also, i signed up with "fdhfhfdhosnfd" as an email address, you may want to validate that also. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 5, 2007 Author Share Posted December 5, 2007 alrighty i do have an XSS function ill validate it with that good idea? ??? Link to comment Share on other sites More sharing options...
therealwesfoster Posted December 5, 2007 Share Posted December 5, 2007 Validate the registration input with htmlspecialchars and/or urlencode to prevent single quotes, double quotes, and html tags (< >) Link to comment Share on other sites More sharing options...
darkfreaks Posted December 5, 2007 Author Share Posted December 5, 2007 ok i included my XSS function see if it cleaned up any of that except the email which isnt properly validated ??? Link to comment Share on other sites More sharing options...
darkfreaks Posted December 5, 2007 Author Share Posted December 5, 2007 also i added email validation to jobseekers Link to comment Share on other sites More sharing options...
darkfreaks Posted December 5, 2007 Author Share Posted December 5, 2007 are there any other bugs? the validation for email is fixed. and the XSS Link to comment Share on other sites More sharing options...
agentsteal Posted December 6, 2007 Share Posted December 6, 2007 Array: http://www.aviationrecruitment.co.uk/jobseekers/job-info.php?job_id[] Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers2.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers6.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers10.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers11.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers13.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers14.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers15.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers16.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/delete.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers1.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers12.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/employers7.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/EmployerSearch.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/PostJob.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/employers/upload.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/jobseekers/forgot.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/story.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.aviationrecruitment.co.uk/phpinfo.php?<script>alert('vulnerable')</script> Cross Site Scripting: http://www.aviationrecruitment.co.uk/jobseekers/job-info.php?job_id="><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting on the view resume page if the fields contain code. Cross Site Scripting: There is Cross Site Scripting on the edit resume page if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on the edit resume page if the fields contain </textarea>code. Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting on the employer edit profile page if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on the employer edit profile page if the drop down menus contain code. Cross Site Scripting: There is Cross Site Scripting on the forgot password page if the fields contain code. Cross Site Scripting: There is Cross Site Scripting on the edit profile page if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on the edit profile page if the drop down menus contain code. Cross Site Scripting: There is Cross Site Scripting in the uploaded images. Cross Site Scripting: There is Cross Site Scripting on the image upload page if the filename contains 'code. Cross Site Scripting: There is Cross Site Scripting on the cv upload page if the filename contains 'code. Drop Down Menu: If you edit the drop down menus on the edit resume page you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on the employer edit profile page you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus when you register you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on the edit profile page you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.aviationrecruitment.co.uk/employers/EmployerSearch.php you can submit arbitrary values. Full Path Disclosure: http://www.aviationrecruitment.co.uk/phpinfo.php Full Path Disclosure: http://www.aviationrecruitment.co.uk/employers/employers4.php Parse error: parse error, unexpected T_VARIABLE in /home/aviation/public_html/employers/employers4.php on line 21 Full Path Disclosure: http://www.aviationrecruitment.co.uk/employers/EmployerSearch.php Parse error: parse error, unexpected ']' in /home/aviation/public_html/employers/EmployerSearch.php on line 25 Full Path Disclosure: There is Full Path Disclosure if the drop down menus on http://www.aviationrecruitment.co.uk/employers/EmployerSearch.php contain invalid values. Fatal error: Call to undefined function: msql_real_escape_string() in /home/aviation/public_html/employers/employers16.php on line 158 SQL Error: http://www.aviationrecruitment.co.uk/employers/employers10.php Unknown column 'uname' in 'where clause' SQL Error: http://www.aviationrecruitment.co.uk/employers/employers11.php Unknown column 'uname' in 'where clause' User Enumeration: http://www.aviationrecruitment.co.uk/~aviation User Enumeration: http://www.aviationrecruitment.co.uk/~root Link to comment Share on other sites More sharing options...
darkfreaks Posted December 6, 2007 Author Share Posted December 6, 2007 i put htmlspecialchars before it hopefully that will help also removed the uneeded [ on line 25 please remove all the errors as i fix them so i know what is left to fix. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 6, 2007 Author Share Posted December 6, 2007 i think i have fixed pretty much everthing except for the edit profile page Link to comment Share on other sites More sharing options...
darkfreaks Posted December 6, 2007 Author Share Posted December 6, 2007 i deleted that page it was useless also fixed the upload Link to comment Share on other sites More sharing options...
darkfreaks Posted December 6, 2007 Author Share Posted December 6, 2007 wow whoever made this needed to use htmlspecialchars and didnt finally any remaining bugs? Link to comment Share on other sites More sharing options...
darkfreaks Posted December 6, 2007 Author Share Posted December 6, 2007 when i use <script src=http://shiflett.org/xss.js> to fill out the register and login page it logs me in as an annomous user and says welcome and shows all the pages but when i click a page i am logged out and told that i am not a registered user? is it catching the injection?? ??? also when i hit submit when i register it says register complete then logs me in as the user then meses up the cookie but when i go to my browser and delete the cookie the site is fine?? should i be worried about that? Link to comment Share on other sites More sharing options...
teng84 Posted December 7, 2007 Share Posted December 7, 2007 can we see how you use your XSS function to filter your vars Link to comment Share on other sites More sharing options...
darkfreaks Posted December 7, 2007 Author Share Posted December 7, 2007 My XSS Function: <?php function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } ?> how i call it: <?php include"../functions.php"; echo htmlspecialchars(RemoveXSS("<a href=$sessid>")); ?> Link to comment Share on other sites More sharing options...
teng84 Posted December 7, 2007 Share Posted December 7, 2007 what does XSS do i think you dont need that! Link to comment Share on other sites More sharing options...
darkfreaks Posted December 7, 2007 Author Share Posted December 7, 2007 XSS is like javascript input also known as cross site scripting. Link to comment Share on other sites More sharing options...
teng84 Posted December 7, 2007 Share Posted December 7, 2007 i know that but look echo htmlspecialchars(RemoveXSS("<a href=$sessid>")); what will htmlspecialchars and RemoveXSS do i believe the htmlspecialchars can do it all alone Link to comment Share on other sites More sharing options...
darkfreaks Posted December 7, 2007 Author Share Posted December 7, 2007 RemoveXSS is sposed to remove all XSS/javascript exploits but however like you said i have not implemented the function yet because i already have htmlspecialchars. Link to comment Share on other sites More sharing options...
teng84 Posted December 7, 2007 Share Posted December 7, 2007 echo htmlentities('<a href="teng">').'<br>'; echo htmlentities('<h1>teng').'<br>'; echo htmlentities('<script>alert(1);<script>').'<br>'; echo htmlspecialchars('<a href="teng">').'<br>'; echo htmlspecialchars('<h1>teng').'<br>'; echo htmlspecialchars('<script>alert(1);<script>').'<br>'; in that case there no way for you to make the html tags works because that is treated as string Link to comment Share on other sites More sharing options...
darkfreaks Posted December 7, 2007 Author Share Posted December 7, 2007 wait so was that a bad idea? ??? Link to comment Share on other sites More sharing options...
teng84 Posted December 7, 2007 Share Posted December 7, 2007 i mean i dont think you need XSS function based on the samples i gave you those hmtl tags wont work as html but it will be treated as text to be displayed so theres no way for them to use those tags. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 7, 2007 Author Share Posted December 7, 2007 well if i used it before echoing html will it treat it like its not html and show the code ? if so i need to use something else. Link to comment Share on other sites More sharing options...
Recommended Posts