lumidev Posted January 2, 2008 Share Posted January 2, 2008 Hi, Please check out my new site, http://www.venuspoetry.com. It's an AJAX/PHP/MySQL site where people can post and edit poetry. All suggestions appreciated. I'm pretty sure everything works, but there's got to be something. Pretty well checked for XSS and SQL injection. I'm hoping I can get agentsteal approved. Thanks. Link to comment Share on other sites More sharing options...
agentsteal Posted January 2, 2008 Share Posted January 2, 2008 User Enumeration: http://www.venuspoetry.com/~root User Enumeration: http://www.venuspoetry.com/~venus Link to comment Share on other sites More sharing options...
lumidev Posted January 2, 2008 Author Share Posted January 2, 2008 So is that a big deal? Is it a setting in Apache that allows that to happen? Link to comment Share on other sites More sharing options...
Coreye Posted January 2, 2008 Share Posted January 2, 2008 So is that a big deal? Is it a setting in Apache that allows that to happen? Yes.. Read this; http://www.securityspace.com/smysecure/catid.html?id=10766. Link to comment Share on other sites More sharing options...
lumidev Posted January 2, 2008 Author Share Posted January 2, 2008 Thanks. Fixed. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 Vulnerability description HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACE Method on the web server. Vulnerability description This script is possibly vulnerable to SQL/XPath Injection attacks. SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input. This vulnerability affects /poem.php. The impact of this vulnerability An unauthenticated attacker may execute arbitrary SQL/XPath statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Attack details The GET variable poem is vulnerable. How to fix this vulnerability Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability. Vulnerability description One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found. This vulnerability affects /. The impact of this vulnerability Email addresses posted on Web sites may attract spam. Attack details We found poet@venuspoetry.com Link to comment Share on other sites More sharing options...
darkfreaks Posted July 26, 2008 Share Posted July 26, 2008 Also you might wanna read on spam proofing your site email wise: http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/ Link to comment Share on other sites More sharing options...
Recommended Posts