php-radio

[phaser]

hi,

 

I have made a program called php-radio it's a radio station emulation i'm the first one that i have see that hase done something like this it was desinged to stream for winamp so keep that in mind.

 

links:

download at http://dream-code.net/

demo at http://php-radio.dream-code.net/

wiki at http://wiki.dream-code.net

 

 

[helraizer]

XSS vunerability

 

http://php-radio.dream-code.net/?page=songlist&station=%22%3E%3Cscript%3Ewindow.close();%3C/script%3E

 

 

Be careful with that.

 

Sam

[agentsteal]

Array:

http://php-radio.dream-code.net/index.php?page[]

 

Array:

http://php-radio.dream-code.net/index.php?station[]

 

Array:

http://php-radio.dream-code.net/playlist.php?type[]

 

Cross Site Scripting:

http://php-radio.dream-code.net/index.php?station=</title><marquee><h1>vulnerable

 

Cross Site Scripting:

http://php-radio.dream-code.net/index.php?station=<marquee><h1>vulnerable

 

Directory Transversal:

http://php-radio.dream-code.net/index.php?page=a/../index

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/playlist.php

Fatal error: Call to a member function get() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/playlist.php on line 5

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/users.php

Fatal error: Call to a member function get_users_online_names() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/users.php on line 4

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/stations.php

Fatal error: Call to a member function get() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/stations.php on line 50

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/admins.php

Fatal error: Call to a member function get_admins() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/admins.php on line 7

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/addsongs.php

Warning: require_once(getid3/getid3.php) [function.require-once]: failed to open stream: No such file or directory in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/addsongs.php on line 112

 

Fatal error: require_once() [function.require]: Failed opening required 'getid3/getid3.php' (include_path='.:/usr/local/lib/php/') in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/addsongs.php on line 112

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/logout.php

Fatal error: Call to undefined function Redirect() in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/logout.php on line 5

 

URL Inclusion:

http://php-radio.dream-code.net/index.php?page=http://www.google.com/

 

User Enumeration:

http://php-radio.dream-code.net/~root

[phaser]

XSS vunerability

 

http://php-radio.dream-code.net/?page=songlist&station=%22%3E%3Cscript%3Ewindow.close();%3C/script%3E

 

 

Be careful with that.

 

Sam

 

 

can you tel my why wat will it harm ?

[phaser]

URL Inclusion:

http://php-radio.dream-code.net/index.php?page=http://www.google.com/

 

Array:

http://php-radio.dream-code.net/index.php?page[]

 

Directory Transversal:

http://php-radio.dream-code.net/index.php?page=a/../index

 

Cross Site Scripting:

http://php-radio.dream-code.net/index.php?station=</title><marquee><h1>vulnerable

 

Cross Site Scripting:

http://php-radio.dream-code.net/index.php?station=<marquee><h1>vulnerable

 

Array:

http://php-radio.dream-code.net/index.php?station[]

 

Array:

http://php-radio.dream-code.net/playlist.php?type[]

 

User Enumeration:

http://php-radio.dream-code.net/~root/

 

yes i under stand i have to put a filter on the page variable thanks

[phaser]

Full Path Disclosure:

http://php-radio.dream-code.net/pages/playlist.php

Fatal error: Call to a member function get() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/playlist.php on line 5

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/users.php

Fatal error: Call to a member function get_users_online_names() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/users.php on line 4

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/stations.php

Fatal error: Call to a member function get() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/stations.php on line 50

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/admins.php

Fatal error: Call to a member function get_admins() on a non-object in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/admins.php on line 7

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/addsongs.php

Warning: require_once(getid3/getid3.php) [function.require-once]: failed to open stream: No such file or directory in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/addsongs.php on line 112

 

Fatal error: require_once() [function.require]: Failed opening required 'getid3/getid3.php' (include_path='.:/usr/local/lib/php/') in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/addsongs.php on line 112

 

Full Path Disclosure:

http://php-radio.dream-code.net/pages/logout.php

Fatal error: Call to undefined function Redirect() in /mounted-storage/home37b/sub001/sc29565-MPEY/php-radio/pages/logout.php on line 5

 

i think by adding error_reporting(0); to all files will stop out putting these things thanks

[phaser]

any more please post

[pquery]

are you streaming anything, I tested with the winamp link and it could never seem to connect

[Coreye]

You haven't fixed anything that agentsteal posted. Once you fix those, then come back and ask if theirs anything else.

[phaser]

hi,

 

i have updated the script please check it.

 

thanks

[phaser]

eh any one  ???

[Coreye]

Remove

var browserName=navigator.appName;

if (browserName=="Microsoft Internet Explorer")

{

  window.resizeTo(763, 520);

 

}

else

  {

    window.resizeTo(745, 510);

 

  }

var req;

and maybe someone will test it. That just gets annoying.