Jump to content

Beta Testing of MCAT Website

xProteuSx

By xProteuSx
in Beta Test Your Stuff!

 Share

Recommended Posts

xProteuSx Advanced Member

xProteuSx

Posted
Posted

MCAT = Medical College Admission Test

 

I am coding this site as an exercise meant to help me learn PHP and MySQL.  It is probably way over my head, but I have been making strides (forward).  Now I think that I am at the point where I should ask for some more experienced coders to take a look.

 

Specifically, I would very much like to know any security flaws that are open to the general public (non-members) as well as non-administrative members.

 

Prior to the login this goes for the login section and the registration section.  Following login, it applies to all pages that require input or execute any code.

 

If you have any additional ideas, suggestions, or comments, please do not hesitate to let me know.

 

Special thanks to [agentsteal]

 

The URL:  www.mcatzone.com

 

Username:  whoever

Password:  whatever

 

Please leave the site and DB intact if you find a security hole.  Thanks :)

 

Link to comment
https://forums.phpfreaks.com/topic/82620-beta-testing-of-mcat-website/
Share on other sites
agentsteal Newbie

agentsteal

Posted
Posted

Array:

http://www.mcatzone.com/glosslet.php?letter[]

 

Array:

http://www.mcatzone.com/mark_rand.php?a20[]

 

Array:

http://www.mcatzone.com/mark_spec.php?answer[]

 

Cross Site Scripting:

http://www.mcatzone.com/glosslet.php?letter="><marquee>vulnerable</marquee>

 

Cross Site Scripting:

http://www.mcatzone.com/mark_spec.php?answer=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.mcatzone.com/mark_rand.php?a20=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if the drop down menu on http://www.mcatzone.com/testsetting.php contains code.

 

Cross Site Scripting:

There is Cross Site Scripting if your username contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.mcatzone.com/testsetting.php if the fields contain code.

 

Directory Transversal:

http://www.mcatzone.com/glosslet.php?letter=../../icons/binary

 

Drop Down Menu:

If you edit the drop down menu on http://www.mcatzone.com/testsetting.php you can submit arbitrary values.

 

Includes Directory:

http://www.mcatzone.com/include/

 

Maximum Length:

If you edit the input boxes on http://www.mcatzone.com/testsetting.php you can remove the maximum lengths.

 

PHP Source Code Disclosure:

There is PHP Source Code Disclosure on the 404 page.

 

SQL Error:

'online' Database INSERT Error

 

SQL Error:

There is an SQL Error on http://www.mcatzone.com/testsetting.php if the fields contain invalid values.

Error in query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

 

User Enumeration:

http://www.mcatzone.com/~root

xProteuSx Advanced Member

xProteuSx

Posted
  • Author
Posted

agentsteal, or anyone else who can help,

 

How do I get around this?  Is it just a matter of coding restrictions after the form has been subitted?

 

If you edit the drop down menu on http://www.mcatzone.com/testsetting.php you can submit arbitrary values.

 

Also, what do I do about these 'Array' issues?

 

 

I've got about half of these errors covered, just trying to get the rest figured out ...

xProteuSx Advanced Member

xProteuSx

Posted
  • Author
Posted

Ahh ... yes.  Now I know where the a20 comes from.  Thanks.

 

About the "'online' Database INSERT Error" ... it only occurs if you refresh real fast.  I think its only because of the speed of the server.

 

How do I get around this?

 

--------------------------------------------------------------------------------------------------------------------------------------

Cross Site Scripting:

http://www.mcatzone.com/mark_spec.php?answer=<marquee>vulnerable

--------------------------------------------------------------------------------------------------------------------------------------

 

Is it just a matter of formatting the input in the code of mark_spec.php?  I'm guessing so, but just need to make sure.

 

anthrt Newbie

anthrt

Posted
Posted

http://www.mcatzone.com/testsetting.php

 

You aren't doing any validation on the first 2 textboxes, you can type letters, punctuation in there etc.

 

Error in query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ee' at line 1

 

You can also register with punctuation as your username, i.e. '''''"""!#@#@

  • 6 months later...
darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures.

 

Affected mod_ssl versions (up to 2.8.17).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

Apache Mod_SSL Log Function Format String Vulnerability

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A format string vulnerability has been found in mod_ssl versions older than 2.8.19. Successful exploitation of this issue will most likely allow an attacker to execute arbitrary code on the affected computer.

 

Affected mod_ssl versions (up to 2.8.18).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

 

Vulnerability description

A possible sensitive file has been found. This file is not directly linked from the website. This check looks for known sensitive files like: password files, configuration files, log files, include files, statistics data, database dumps. Each of those files may help an attacker to learn more about his target.

 

The impact of this vulnerability

This file may expose sensitive information that may help an malicious user to prepare more advanced attacks.

How to fix this vulnerability

Restrict access to this file or remove it from the website.

 

Vulnerability description

A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for known sensitive directories like: backup directories, database dumps, administration pages, temporary directories. Each of those directories may help an attacker to learn more about his target.

 

The impact of this vulnerability

This directory may expose sensitive information that may help an malicious user to prepare more advanced attacks.

 

How to fix this vulnerability

Restrict access to this directory or remove it from the website.

 

 

 

darkfreaks Advanced Member

darkfreaks

Posted
Posted

PHPSESSID session fixation

Vulnerability description

This script is vulnerable to PHPSESSID session fixation attacks.

 

By injecting a custom PHPSESSID is possible to alter the PHP session cookie. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.

This vulnerability affects /.

The impact of this vulnerability

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

How to fix this vulnerability

Set session.use_only_cookies = 1 from php.ini. This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs; defaults to 0.

Andy-H Advanced Member

Andy-H

Posted
Posted

You could do with a PHP image verification script running on the register to stop bots spamming you with accounts.

 

Add a scriptcheck to avoid floods etc...

 

 

script.php

<?php
session_start();

$num = "0123456789";
$rand = substr(str_shuffle($num), 0, 4);

$_SESSION['image_random_value'] = md5($rand);

$image = imagecreatefromjpeg("images/imgbackground.jpg");

$textColor = imagecolorallocate ($image, 0, 0, 0);


imagestring ($image, 5, 5, 8, $rand, $textColor); 

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");


header('Content-type: image/jpeg');
imagejpeg($image);
imagedestroy($image);

?>

 

 

 

 

 

scriptcheck.php

<?php
session_start();
require("dbconnectionfile.php");

$que = mysql_query("SELECT * FROM `???` WHERE `???` = '???' LIMIT 1")or die(mysql_error());
$arr = mysql_fetch_array($que);

$scripttime = $arr['scripttime'];

if ($scripttime <= time()){

$submit = strip_tags(mysql_real_escape_string($_POST['submit']));
$number = strip_tags(mysql_real_escape_string($_POST['number']));
$newtime = time() + rand(600,900);


if ($submit){

if (md5($number) != $_SESSION['image_random_value']){
echo "Incorrect script number.";

}elseif (md5($number) == $_SESSION['image_random_value']){

mysql_query("UPDATE `players` SET `scripttime` = '$newtime' WHERE `playername` = '$player' LIMIT 1")or die(mysql_error());
print ("<meta http-equiv=\"refresh\" content=\"0\">");
}
}

?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="???" />
<title>.::::.</title>
</head>
<body>
<form action="" method="post">
<table width="30%" align="center" class="tbl">
<tr><td align="center" class="*">Scriptcheck</td></tr>
<tr><td align="center" class="*"><img src="script.php" /></td></tr>
<tr><td align="center" class="*">
<input type="text" name="number" class="submit" size="5" maxlength="5" />
</td></tr>
<tr><td align="center" class="tbl">
<input type="submit" name="submit" value="Submit" class="*" />
</td></tr>
</table>
</form>
</body>
</html>
<? exit; } ?>

 

 

 

 

Use:

<?php
session_start();
require("dbconnectionfile.php");

$submit = strip_tags(mysql_real_escape_string($_POST['submit']))'
$script = intval($_POST['script']);


if ($submit){

if (md5($script) != $_SESSION['image_random_value']){
echo "Script number incorrect.";
}elseif (md5($script) == $_SESSION['image_random_value']){

code...

}}
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="???" />
<title>.::::.</title>
</head>
<body>
<tablecrap>
<tr>
<td align="left" class="???" width="30%">
  <img src="script.php" />
</td>
<td align="left" class="???">
  <input type="text" name="script" class="***" size="5" maxlength="4" />
</td>
</tr>
</tablecrap>
</body>
</html>

 

 

It would also be useful to adjust the website according to screen resolution using javascript.

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.