marksie1988 Posted January 1, 2008 Share Posted January 1, 2008 Hey guys please beta test my website for security vulnerabilities and how i could fix any if its a quick fix www.blconline.co.uk Thanks Steve Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/ Share on other sites More sharing options...
Coreye Posted January 1, 2008 Share Posted January 1, 2008 Cross Site Scripting: When editing your profile you can submit code and it executes. http://blconline.co.uk/login/userinfo.blc?user=123456 Cross Site Scripting: http://blconline.co.uk/whois/index.blc?domain=%22%3E%3Cmarquee%3E%3Ch1%3Evulnerable&lookup=%3E%3E Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427521 Share on other sites More sharing options...
marksie1988 Posted January 1, 2008 Author Share Posted January 1, 2008 Cross Site Scripting: When editing your profile you can submit code and it executes. http://blconline.co.uk/login/userinfo.blc?user=123456 Cross Site Scripting: http://blconline.co.uk/whois/index.blc?domain=%22%3E%3Cmarquee%3E%3Ch1%3Evulnerable&lookup=%3E%3E how would i fix this issue? Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427531 Share on other sites More sharing options...
Coreye Posted January 1, 2008 Share Posted January 1, 2008 Full Path Disclosure: http://blconline.co.uk/adsys/banner.blc Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/adsys/banner.blc on line 4 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/adsys/banner.blc on line 4 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/adsys/banner.blc on line 5 Block this directory; http://blconline.co.uk/adsys/. Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427611 Share on other sites More sharing options...
marksie1988 Posted January 1, 2008 Author Share Posted January 1, 2008 Full Path Disclosure: http://blconline.co.uk/adsys/banner.blc Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/adsys/banner.blc on line 4 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/adsys/banner.blc on line 4 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/adsys/banner.blc on line 5 Block this directory; http://blconline.co.uk/adsys/. ok thanks i have fixed this now Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427628 Share on other sites More sharing options...
Coreye Posted January 1, 2008 Share Posted January 1, 2008 Block This directory; http://blconline.co.uk/inc/ Full Path Disclosure: http://blconline.co.uk/login/userinfo.blc Warning: Cannot modify header information - headers already sent by (output started at /home/marksie/public_html/blacklime/inc/header.blc:16) in /home/marksie/public_html/blacklime/login/userinfo.blc on line 12 Full Path Disclosure: http://blconline.co.uk/inc/right.blc Fatal error: Call to a member function isMod() on a non-object in /home/marksie/public_html/blacklime/inc/right.blc on line 58 Full Ptah Disclosure: http://blconline.co.uk/inc/footer.blc Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/inc/footer.blc on line 55 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/inc/footer.blc on line 55 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/inc/footer.blc on line 56 ) Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/inc/footer.blc on line 62 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/inc/footer.blc on line 62 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/inc/footer.blc on line 6 Full Ptah Disclosure: http://blconline.co.uk/inc/footer.blc Fatal error: Call to a member function getNumMembers() on a non-object in /home/marksie/public_html/blacklime/inc/footer.blc on line 92 Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427631 Share on other sites More sharing options...
marksie1988 Posted January 1, 2008 Author Share Posted January 1, 2008 Block This directory; http://blconline.co.uk/inc/ Full Path Disclosure: http://blconline.co.uk/login/userinfo.blc Warning: Cannot modify header information - headers already sent by (output started at /home/marksie/public_html/blacklime/inc/header.blc:16) in /home/marksie/public_html/blacklime/login/userinfo.blc on line 12 Full Path Disclosure: http://blconline.co.uk/inc/right.blc Fatal error: Call to a member function isMod() on a non-object in /home/marksie/public_html/blacklime/inc/right.blc on line 58 Full Ptah Disclosure: http://blconline.co.uk/inc/footer.blc Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/inc/footer.blc on line 55 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/inc/footer.blc on line 55 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/inc/footer.blc on line 56 ) Warning: mysql_query() [function.mysql-query]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/marksie/public_html/blacklime/inc/footer.blc on line 62 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/marksie/public_html/blacklime/inc/footer.blc on line 62 Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/marksie/public_html/blacklime/inc/footer.blc on line 6 Full Ptah Disclosure: http://blconline.co.uk/inc/footer.blc Fatal error: Call to a member function getNumMembers() on a non-object in /home/marksie/public_html/blacklime/inc/footer.blc on line 92 ok i have done this now but i have no idea how to stop this one Fatal error: Call to a member function isMod() on a non-object in /home/marksie/public_html/blacklime/inc/right.blc on line 58 Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427644 Share on other sites More sharing options...
agentsteal Posted January 2, 2008 Share Posted January 2, 2008 Array: http://www.blconline.co.uk/whois/index.blc?lookup&domain[] Cross Site Scripting: http://www.blconline.co.uk/whois/index.blc?lookup&domain="><marquee><h1>vulnerable</marquee> Full Path Disclosure: http://www.blconline.co.uk/directory/dirupdate.php?www[] Warning: urldecode() expects parameter 1 to be string, array given in /home/marksie/public_html/blacklime/directory/dirupdate.php on line 4 Warning: Cannot modify header information - headers already sent by (output started at /home/marksie/public_html/blacklime/directory/dirupdate.php:4) in /home/marksie/public_html/blacklime/directory/dirupdate.php on line 7 Full Path Disclosure: http://www.blconline.co.uk/login/userpics/delimg.blc Warning: unlink(/home/marksie/public_html/blacklime/login/userpics/) [function.unlink]: Is a directory in /home/marksie/public_html/blacklime/login/userpics/delimg.blc on line 17 Warning: Cannot modify header information - headers already sent by (output started at /home/marksie/public_html/blacklime/login/userpics/delimg.blc:17) in /home/marksie/public_html/blacklime/login/userpics/delimg.blc on line 24 Full Path Disclosure: http://www.blconline.co.uk/login/userinfo.blc Warning: Cannot modify header information - headers already sent by (output started at /home/marksie/public_html/blacklime/inc/header.blc:16) in /home/marksie/public_html/blacklime/login/userinfo.blc on line 12 blconline.co.uk Full Path Disclosure: http://www.blconline.co.uk/price/popupprice.blc Warning: require_once(../inc/settings.blc) [function.require-once]: failed to open stream: No such file or directory in /home/marksie/public_html/blacklime/price/popupprice.blc on line 1 Fatal error: require_once() [function.require]: Failed opening required '../inc/settings.blc' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/marksie/public_html/blacklime/price/popupprice.blc on line 1 Full Path Disclosure: http://www.blconline.co.uk/inc/right.blc Fatal error: Call to a member function isAdmin() on a non-object in /home/marksie/public_html/blacklime/inc/right.blc on line 59 Full Path Disclosure: http://www.blconline.co.uk/inc/footer.blc Fatal error: Call to a member function getNumMembers() on a non-object in /home/marksie/public_html/blacklime/inc/footer.blc on line 92 Includes Directory: http://www.blconline.co.uk/login/include/ META Tag Injection: http://www.blconline.co.uk/whois/index.blc?lookup&domain=<meta+http-equiv='Set-cookie'+content='vulnerable=true'> URL Inclusion: http://www.blconline.co.uk/directory/dirupdate.php?www=http://www.google.com/ Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-427745 Share on other sites More sharing options...
marksie1988 Posted January 2, 2008 Author Share Posted January 2, 2008 OK i have now blocked most of this (removed the whois too much hassle) but i don't know how to block the following thing could someone point me in the right direction or show me how to do it? URL Inclusion: http://www.blconline.co.uk/directory/dirupdate.php?www=http://www.google.com/ Link to comment https://forums.phpfreaks.com/topic/84011-solved-wwwblconlinecouk/#findComment-428430 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.