intrktevo Posted December 8, 2007 Share Posted December 8, 2007 Im coming out with an online food ordering system and need to beta test it before going live. Please PM me or send me a message on AIM (intrktevo) so we can talk! thanks in advance. Link to comment Share on other sites More sharing options...
Coreye Posted December 8, 2007 Share Posted December 8, 2007 Im coming out with an online food ordering system and need to beta test it before going live. Please PM me or send me a message on AIM (intrktevo) so we can talk! thanks in advance. You should just post the link on here... otherwise it's pretty much freelancing which should be posted here; http://www.phpfreaks.com/forums/index.php/board,8.0.html. Link to comment Share on other sites More sharing options...
intrktevo Posted December 9, 2007 Author Share Posted December 9, 2007 The URL is http://tinyurl.com/ywowfd or (http://preview.tinyurl.com/ywowfd) I'm not posting the link so it doesnt get picked up by google here and then put on results for my url Login info: test/password Link to comment Share on other sites More sharing options...
agentsteal Posted December 9, 2007 Share Posted December 9, 2007 Array: http://www.knightlyfood.com/food.php?c[] Cross Site Scripting: http://www.knightlyfood.com/food.php?c=</title><script>alert(1337)</script> Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting if your username contains ">code. Cross Site Scripting: There is Cross Site Scripting if the reviews contain code. Cross Site Scripting: There is Cross Site Scripting on the forgotten password page if the fields contain ">code. Drop Down Menu: If you edit the category drop down menu you can submit arbitrary values. Full Path Disclosure: http://www.knightlyfood.com/search.php Warning: implode() [function.implode]: Bad arguments. in /homepages/41/d203635766/htdocs/knightlyfoodNew/search.php on line 56 Link to comment Share on other sites More sharing options...
intrktevo Posted December 9, 2007 Author Share Posted December 9, 2007 If you edit the category drop down menu you can submit arbitrary values. Array: http://www.knightlyfood.com/food.php?c[] Cross Site Scripting: http://www.knightlyfood.com/food.php?c=</title><script>alert(1337)</script> Full Path Disclosure: http://www.knightlyfood.com/search.php Warning: implode() [function.implode]: Bad arguments. in /homepages/41/d203635766/htdocs/knightlyfoodNew/search.php on line 56 There is Cross Site Scripting if you try to register with ">code in the fields. There is Cross Site Scripting if you log in with ">code in your username. The edit profile page is vulnerable to Cross Site Scripting if the fields contain ">code. The reviews are vulnerable to Cross Site Scripting if they contain code. There is Cross Site Scripting if you submit ">code on the forgotten password page. Wow, thanks , i really appreciate it. It's hard trying to catch everything alone I'm pretty sure I fixed anything on the list page dealing with ?c=. is doing something like this acceptable for the other stuff: //block html tags and what not foreach($_POST as $j=>$k) { $_POST[$j] = strip_html_tags($k); } Link to comment Share on other sites More sharing options...
therealwesfoster Posted December 10, 2007 Share Posted December 10, 2007 There is Cross Site Scripting when you insert ">code in the search form. There is Cross Site Scripting when you insert ">code in "change address" form. Link to comment Share on other sites More sharing options...
intrktevo Posted December 10, 2007 Author Share Posted December 10, 2007 There is Cross Site Scripting when you insert ">code in the search form. There is Cross Site Scripting when you insert ">code in "change address" form. In what sense, when i type it in, the page just says "We're sorry, but there are no restaurants matching your search term ">. " Link to comment Share on other sites More sharing options...
Coreye Posted December 10, 2007 Share Posted December 10, 2007 There is Cross Site Scripting when you insert ">code in the search form. There is Cross Site Scripting when you insert ">code in "change address" form. In what sense, when i type it in, the page just says "We're sorry, but there are no restaurants matching your search term ">. " type "><marquee><h1>vulnerable or "><font color="#FF0000"><h1>vulnerable into the search field. Link to comment Share on other sites More sharing options...
intrktevo Posted December 11, 2007 Author Share Posted December 11, 2007 There is Cross Site Scripting when you insert ">code in the search form. There is Cross Site Scripting when you insert ">code in "change address" form. In what sense, when i type it in, the page just says "We're sorry, but there are no restaurants matching your search term ">. " type "><marquee><h1>vulnerable or "><font color="#FF0000"><h1>vulnerable into the search field. ah ok, fixing now =) Link to comment Share on other sites More sharing options...
intrktevo Posted December 11, 2007 Author Share Posted December 11, 2007 Everything up till now should be fixed! Thanks a lot for the help. I appreciate anything that anyone can find too! Link to comment Share on other sites More sharing options...
Recommended Posts