mr_mind Posted December 19, 2007 Share Posted December 19, 2007 Everywhere I went to find how i could check to see if a user is online by using sessions, or even counting the users online using sessions, i was told that it was not possible and that i had to use a database or it would not work. Well it seems as if everyone i went to was wrong. I have developed a script which will do just that. I had a lot of bugs along the way but that is to be expected of any script is it not? Anyways i just wanted to see if you guys could poke around in it for a bit and tell me if it could be maliciously hacked and how i might guard against it. I would also like to know of anyways this particular way of doing it may not work as well as it is supposed to. download: http://www2.iqlogin.net/download/index.php It is currently the only download available at that link but there is more to come. If you have any questions or comments about it please send them to iql-online@iqlogin.net, Thanks for all of the help, Quinn (a.k.a mr. mind) Link to comment Share on other sites More sharing options...
agentsteal Posted December 19, 2007 Share Posted December 19, 2007 Admin Access: The PHP Source Code Disclosure reveals your password. Cross Site Scripting: There is Cross Site Scripting on http://www2.iqlogin.net/mr_layoutguy/intro.php if the fields contain ">code. Full Path Disclosure: http://www2.iqlogin.net/admin/ Fatal error: Call to undefined function member_menu() in /var/www/localhost/htdocs/admin/index.php on line 18 Full Path Disclosure: http://www2.iqlogin.net/design/submit.php Fatal error: Call to undefined function member_menu() in /var/www/localhost/htdocs/design/submit.php on line 18 Full Path Disclosure: http://www2.iqlogin.net/dsl/page-views.php Fatal error: Call to undefined function member_menu() in /var/www/localhost/htdocs/dsl/page-views.php on line 18 Full Path Disclosure: http://www2.iqlogin.net/download/iql-online-1.1/module.php Warning: require_once(/var/www/localhost/htdocs/iql-online-1.1/config.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/localhost/htdocs/download/iql-online-1.1/module.php on line 2 Fatal error: require_once() [function.require]: Failed opening required '/var/www/localhost/htdocs/iql-online-1.1/config.php' (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/localhost/htdocs/download/iql-online-1.1/module.php on line 2 Full Path Disclosure: http://www2.iqlogin.net/inc/modules/member_menu.php Fatal error: Call to undefined function verify_user() in /var/www/localhost/htdocs/inc/modules/member_menu.php on line 4 Full Path Disclosure: http://www2.iqlogin.net/inc/modules/other_menu.php Fatal error: Call to undefined function verify_user() in /var/www/localhost/htdocs/inc/modules/other_menu.php on line 10 Full Path Disclosure: http://www2.iqlogin.net/user/activate.php Parse error: syntax error, unexpected T_ELSE in /var/www/localhost/htdocs/user/activate.php on line 71 Full Path Disclosure: http://www2.iqlogin.net/inc/modules/users_active.php Fatal error: Call to undefined function user_online() in /var/www/localhost/htdocs/inc/modules/users_active.php on line 29 Includes Directory: http://www2.iqlogin.net/inc/ Includes Directory: http://www2.iqlogin.net/site/ PHP Source Code Disclosure There is PHP Source Code Disclosure on multiple pages if you add ~ at the end of the URL. SQL Dump: http://www2.iqlogin.net/tables.sql Link to comment Share on other sites More sharing options...
mr_mind Posted December 27, 2007 Author Share Posted December 27, 2007 Thanks, i have fixed all of those leaks and would it not have been better to maybe... send this to my inbox instead of announcing it to the entire world? Link to comment Share on other sites More sharing options...
drummer101 Posted December 29, 2007 Share Posted December 29, 2007 You asked for it Did you not see all the other threads in the forum. It's what you're posting to get Link to comment Share on other sites More sharing options...
mr_mind Posted December 30, 2007 Author Share Posted December 30, 2007 Not quite. If you actually read my original post you will see that I asked to see if a certain script (link shown in first post) was secure and correct. Not my entire site. Link to comment Share on other sites More sharing options...
jos. Posted December 30, 2007 Share Posted December 30, 2007 --off topic-- I think that if you fixed them, you should be grateful some one trying to help you found them before some one who had no intention of helping you found them. Jos. Link to comment Share on other sites More sharing options...
mr_mind Posted December 30, 2007 Author Share Posted December 30, 2007 I am greatful, i just think it would be less harmful if he sent it to my inbox instead of everyone who reads this forum who may see it before me Link to comment Share on other sites More sharing options...
stelthius Posted January 4, 2008 Share Posted January 4, 2008 everyone can learn from sone's mistakes, might have helped someone else out with this post to... i dont think he meant any harm.. Link to comment Share on other sites More sharing options...
Recommended Posts