recklessop Posted December 27, 2007 Share Posted December 27, 2007 looking for some people to test out the work i have done so far. i think its probably 90% complete would be done but i keep adding features as im writing. the link is www.debianbox.net/sms/ the username is demo and the password is demo i know that there are bugs. if you have any suggestions comments or would like to help email me justin at debianbox.net or ill check back here too Thanks! Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/ Share on other sites More sharing options...
recklessop Posted December 27, 2007 Author Share Posted December 27, 2007 i forgot that the authentication system tracks users with unique codes and cookies so if you are constantly being logged off please goto the administration section and add an employee (which will just create a new user name and password for you so that you can login and stay logged in) it wasnt designed for multiple logins with the same username at different stations Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-423877 Share on other sites More sharing options...
Coreye Posted December 27, 2007 Share Posted December 27, 2007 Block this directory http://www.debianbox.net/sms/admin/. From the looks of it you don't have to be logged in to use those pages incluiding; http://www.debianbox.net/sms/admin/adduser.php http://www.debianbox.net/sms/admin/administration.php http://www.debianbox.net/sms/admin/moduser.php SQL Error: http://www.debianbox.net/sms/admin/listros_unpaid.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '== false ORDER BY `date` DESC' at line 1 Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-423886 Share on other sites More sharing options...
recklessop Posted December 27, 2007 Author Share Posted December 27, 2007 dang... i totally forgot to add the code to check the cookies and what not too all the pages and some of the pages were left in an unfinished state before christmas so hopefully thats y that sql error is there after reviewing it i noticed that that isnt a page that will be sticking around lol, as repair orders are always in an unpaid state ... invoices are what will be checked for paid/unpaid Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-423892 Share on other sites More sharing options...
agentsteal Posted December 27, 2007 Share Posted December 27, 2007 Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/vehicle_add.php if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/vehicle_add.php if you submit the same vehicle multiple times. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/ro_start.php if the drop down menu contains ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/ro_addjob.php if the drop down menus contain ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/ro_deljob.php if the drop down menus contain ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/pi_start.php if the drop down menu contains ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/pi_addpart.php if the drop down menus contain ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/pi_view.php if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/pi_view.php if the drop down menu contains ">code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/pi_close.php if the drop down menu contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/customer_mod.php if the drop down menu contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/vehicle_mod.php if the drop down menu contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/service_mod.php if the drop down menu contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/parts_mod.php if the drop down menu contains code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/parts_del.php if the fields contain code. Cross Site Scripting: There is Cross Site Scripting on http://www.debianbox.net/sms/admin/adduser.php if the fields contain code. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/vehicle_add.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/ro_start.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.debianbox.net/sms/ro_addjob.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.debianbox.net/sms/ro_deljob.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/pi_start.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.debianbox.net/sms/pi_addpart.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/pi_view.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/pi_close.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/customer_mod.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/vehicle_mod.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/service_mod.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/parts_mod.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menu on http://www.debianbox.net/sms/tune_download.php you can submit arbitrary values. Full Path Disclosure: http://www.debianbox.net/sms/home.php Warning: Cannot modify header information - headers already sent by (output started at /home/justin/sms/home.php:12) in /home/justin/sms/home.php on line 53 Full Path Disclosure: http://www.debianbox.net/sms/include/auth.php Warning: include(./include/config.php) [function.include]: failed to open stream: No such file or directory in /home/justin/sms/include/auth.php on line 2 Warning: include() [function.include]: Failed opening './include/config.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/justin/sms/include/auth.php on line 2 Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'www-data'@'localhost' (using password: NO) in /home/justin/sms/include/auth.php on line 4 Access denied for user 'www-data'@'localhost' (using password: NO) Full Path Disclosure: http://www.debianbox.net/sms/pi_start.php Warning: Cannot modify header information - headers already sent by (output started at /home/justin/sms/pi_start.php:10) in /home/justin/sms/pi_start.php on line 125 Full Path Disclosure: There is Full Path Disclosure on http://www.debianbox.net/sms/tune_add.php if you upload a file. Warning: move_uploaded_file(/var/www/tunes/ffd90734db50d7dcc9780704973e8781.jpg) [function.move-uploaded-file]: failed to open stream: No such file or directory in /home/justin/sms/tune_add.php on line 44 Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpNyJkf8' to '/var/www/tunes/ffd90734db50d7dcc9780704973e8781.jpg' in /home/justin/sms/tune_add.php on line 44 Full Path Disclosure: There is Full Path Disclosure on http://www.debianbox.net/sms/tune_download.php if the drop down menu contains an invalid value. Fatal error: Call to undefined function mysq_error() in /home/justin/sms/tune_download.php on line 48 Includes Directory: http://www.debianbox.net/sms/admin/ Includes Directory: http://www.debianbox.net/sms/include/ SQL Error: http://www.debianbox.net/sms/admin/listros_unpaid.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '== false ORDER BY `date` DESC' at line 1 SQL Error: http://www.debianbox.net/sms/invoice_start.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: http://www.debianbox.net/sms/service_add.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: http://www.debianbox.net/sms/parts_add.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: http://www.debianbox.net/sms/parts_mod.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: http://www.debianbox.net/sms/parts_del.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: http://www.debianbox.net/sms/letter_thankyou.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: There is an SQL Error if you add a new customer. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2 SQL Error: There is an SQL Error if you register the same vehicle multiple times. Duplicate entry a for key 1 SQL Error: http://www.debianbox.net/sms/pi_created.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL Error: There is an SQL Error on http://www.debianbox.net/sms/pi_close.php if the drop down menu contains an invalid value. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL Error: There is an SQL Error on http://www.debianbox.net/sms/invoice_paid.php if the fields contain invalid values. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE `id` = 6 LIMIT 1' at line 1 SQL Error: There is an SQL Error on http://www.debianbox.net/sms/parts_del.php if the fields contain invalid values. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 User Enumeration: http://www.debianbox.net/~justin Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-423897 Share on other sites More sharing options...
recklessop Posted December 27, 2007 Author Share Posted December 27, 2007 what program are u using to generate that output? Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-423900 Share on other sites More sharing options...
Coreye Posted December 30, 2007 Share Posted December 30, 2007 You can delete and users still if you are not an admin. http://www.debianbox.net/sms/admin/deluser.php and http://www.debianbox.net/sms/admin/moduser.php. You also still need to block this directory; http://www.debianbox.net/sms/admin/. Theirs Cross Site Scripting when creating a new employee. Theirs Cross Site Scripting when searching for an Invoice Number. Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-425854 Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Vulnerability description This file is listed in robots.txt but it's not linked anywhere in the site. This vulnerability affects /. The impact of this vulnerability Possible sensitive information disclosure. How to fix this vulnerability In robots.txt you should include only files or directories linked on the site. CVS files found Vulnerability description CVS (Concurrent Versions System) files have been found on this directory. The CVS directory is a special directory. CVS/Entries lists files and subdirectories registered into the server. CVS/Repository contains the path to the corresponding directory in the repository. CVS/Root contains the path to the repository How to fix this vulnerability Remove the files from production systems. Vulnerability description HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACE Method on the web server. Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-585641 Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Vulnerability description This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. Attack details Current version is mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 Unknown How to fix this vulnerability Upgrade mod_ssl to the latest version. Link to comment https://forums.phpfreaks.com/topic/83313-auto-repair-shop-management-system/#findComment-585643 Share on other sites More sharing options...
Recommended Posts