benn600 Posted December 7, 2007 Share Posted December 7, 2007 Well, I created a PHP/MySQL site that I would like to tell everyone about. It's called Gift Pathways: http://giftpathways.com/ It lets users signup and create a group for their entire family/group. Everyone then signs up and joins the same group. Each person then has a wish list and can mark other people's items as purchased (secretly). Plus, you can generate printable shopping lists, comment on items, add secret surprises, and much more. Please let me know what you think! I would appreciate help spreading the word because everyone I have personally told about it loves it. My family is using it, too. I told my co-worker and just a couple days later, his wife said it would be so cool if there was a site where you could put a wish list --- just like my site! Well, honey, there is! lol I made two versions over about 2-3 weeks. The first was just for my family and the second added public registration with groups to contain events. I'm constantly expanding it but will even be more motivated with more users. I want it to be USED! Please tell your friends! Link to comment Share on other sites More sharing options...
Coreye Posted December 7, 2007 Share Posted December 7, 2007 It sounds to me like you are advertising your website and you want people to critique it instead of testing the code. You should do that here; http://www.phpfreaks.com/forums/index.php/board,10.0.html. Anyways some flaws are... Your registration is vulnerable to cross site scripting. Cross Site Scripting: http://giftpathways.com/login.php/"><marquee><h1>vulnerable SQL: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '> vulnerable",0,0,0)' at line 1 Cross Site Scripting: http://giftpathways.com/contact.php/"><marquee><h1>vulnerable Link to comment Share on other sites More sharing options...
Coreye Posted December 7, 2007 Share Posted December 7, 2007 Theirs Cross Site Scripting when creating a group. You can submit "><marquee><h1>vulnerable into the fields and it will execute the code. Cross Site Scripting: http://giftpathways.com/item.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/message.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/profile.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/print.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/food.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/statistics.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/lockmembership.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/activity.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/invite.php/"><marquee><h1>vulnerable Cross Site Scripting: http://giftpathways.com/spread.php/"><marquee><h1>vulnerable Link to comment Share on other sites More sharing options...
benn600 Posted December 7, 2007 Author Share Posted December 7, 2007 It's for both purposes. How the heck did you do that?! How do I fix it? I had some others test some general security issues but I have never seen that before! Link to comment Share on other sites More sharing options...
benn600 Posted December 7, 2007 Author Share Posted December 7, 2007 What if I just checked the URL and if it has something after .php other than a question mark, exit? Link to comment Share on other sites More sharing options...
agentsteal Posted December 8, 2007 Share Posted December 8, 2007 Array: http://www.giftpathways.com/wishlist.php?u[] Cross Site Scripting: http://www.giftpathways.com/wishlist.php?u=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/wishlist.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/spread.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/login.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable Cross Site Scripting: There is Cross Site Scripting if a group ID contains ">code. Cross Site Scripting: http://www.giftpathways.com/profile.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/item.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/print.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/statistics.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/groups.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/food.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/activity.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/spread.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/invite.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/lockmembership.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/contact.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.giftpathways.com/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting if your username contains ">code. Drop Down Menu: If you edit the drop down menus on the group creation page you can submit arbitrary values. SQL Error: http://www.giftpathways.com/login.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"login"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/contact.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"contact"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/groups.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"groups"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/profile.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"contact"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/index.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/item.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"item"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/print.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"print"",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/statistics.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/food.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/lockmembership.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/activity.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/spread.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/invite.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""",0,0,0)' at line 1 SQL Error: There is a SQL Error if the drop down menus on the group creation page contain invalid values. Incorrect date value: 'a-a-a' for column 'groupEventDate' at row 1 SQL Error: http://www.giftpathways.com/spread.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '",0,0,0)' at line 1 SQL Error: http://www.giftpathways.com/wishlist.php?u=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\',0)' at line 1 SQL Error: http://www.giftpathways.com/wishlist.php?u=a Unknown column 'a' in 'field list' SQL Error: http://www.giftpathways.com/wishlist.php/" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"wishlist"",40 AND 1=2,0,0)' at line 1 Link to comment Share on other sites More sharing options...
benn600 Posted December 8, 2007 Author Share Posted December 8, 2007 This is unbelievable and I'm outraged that Gift Pathways is so broken. What can I do to help fix it? It seems like there are two main problems: 1. Apache is accepting a connection to a specific file (index.php) even when there is a slash after the filename. 2. The quotes need to be replaced with "e; Would these two things fix most of these problems? How can I remedy the first? It seems very standard for you guys to tell me about all these problems so surely you have a moderately simple remedy for fixing them all! Do you have a bot that collects all this information? As far as "a" going to the date field on the group creation page, is it bad that I don't care that it gives a mysql error? Honestly, that is only for the hackers. What is the easiest way to check anyway in PHP? How can I check to see if a date is valid in PHP? Why should I? The only advantage would be that if users enter an invalid date (Feburary 31). So I wouldn't mind adding code here. How do I see if a date is valid? I have a good error scheme and it would be easy to add that in. Link to comment Share on other sites More sharing options...
benn600 Posted December 10, 2007 Author Share Posted December 10, 2007 So how do I fix the cross site scripting vulnerabilities of my site? Link to comment Share on other sites More sharing options...
burnside Posted December 11, 2007 Share Posted December 11, 2007 @agentsteal you owned that hahaha Link to comment Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Vulnerability description HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACE Method on the web server. Password type input with autocomplete enabled The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Link to comment Share on other sites More sharing options...
Recommended Posts