Please test for bugs so far

[steviez]

Hi,

 

I am developing a new file hosting script for my site and i need it beta tested so far please, It is no where near complete yet but i would like some feedback on the workings of the script and any errors you think are there.

 

PLEASE DO NOT post any reference to the site url here as i don't want Google picking it up (looks unprofessional)

 

Site Here: http://tinyurl.com/257xvg

 

Thanks

[trq]

When validating with w3c I get 67 errors, and basically the pge doesn't display at all well in opera.

[Coreye]

Cross Site Scripting:

You can use code in your name and it executes.

 

Block your Admin directory. Also add some validation, any one can ban/unban.

 

Your Admin CP has Cross Site Scripting vulnerabilities

 

Block your includes directory.

 

Your Admin CP is vulnerable to SQL injection.

[steviez]

Has anyone messed with the system? after you guys beta testing my server wont respond?

 

Thanks

[agentsteal]

Admin Access:

Anyone can access the admin panel.

 

Array:

http://www.xxxxxxx.co.uk/projects/filehost/admin/bans.php?action=unban&ip[]

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.xxxxxxx.co.uk/projects/filehost/admin/bans.php if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if your username contains </script>code.

 

Directory Transversal:

There is Directory Transversal if your username contains ../

 

Full Path Disclosure:

http://www.xxxxxxx.co.uk/projects/filehost/success.php.old

Warning: main(uu_conlib.php) [function.main]: failed to open stream: No such file or directory in /var/www/html/projects/filehost/success.php.old on line 18

 

Fatal error: main() [function.require]: Failed opening required 'uu_conlib.php' (include_path='.:/usr/lib/php') in /var/www/html/projects/filehost/success.php.old on line 18

 

Full Path Disclosure:

http://www.xxxxxxx.co.uk/projects/filehost/admin/bans.php

/var/www/html/projects/fileho

 

Full Path Disclosure:

http://www.xxxxxxx.co.uk/projects/filehost/admin/settings.php

/var/www/html/projects/filehost/

 

Includes Directory:

http://www.xxxxxxx.co.uk/projects/filehost/includes/

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

SQL Error:

There is an SQL Error if you log in if the username contains '

Could not match data because You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd41d8cd98f00b204e9800998ecf8427e'' at line 1

 

If your username contains ' when you log in the page contains an MD5 of your password.

[steviez]

Thanks for the info,please could you remove the site url from your posts, as i said in my first post i dont want google to index it

 

Thanks

[steviez]

Hi,

 

I have fixed some of the problems mentioned to me, please could i ask you guys to re-check. Please do not post any reference to my site url on here

 

Thanks

[serverman]

i dont know if you are aware but all the pics other than logo are broken

[steviez]

i dont know if you are aware but all the pics other than logo are broken

 

Thanks for that, let me know if you find anymore

[steviez]

Anymore bugs/suggestions?