cameronjdavis Posted January 12, 2008 Share Posted January 12, 2008 My brother and I created an online CMS called ComfyPage. Sign up for a free site at http://comfypage.com/. Please thrash it and let me know of any bugs etc. Inputs: Your time and effort. Outputs: A website. Link to comment Share on other sites More sharing options...
Coreye Posted January 12, 2008 Share Posted January 12, 2008 Cross Site Scripting: http://comfypage.com/index.php?content_id=ERROR&postback=Mailing+List&fsbb_key=47.7.6.25.85.24.311.8.38.7.861.25&1943d881309c75c136b9fe9a2=6b9fe9a2&d965bb3e18525b3a5f0c0d5b5=MTIwMDExMDU3OQ%3D%3D&mail=&list_email=%22%3E%3Cmarquee%3E%3Ch1%3Evulnerable&action=Subscribe#abc Array: http://comfypage.com/index.php?content_id=ERROR&postback=Mailing+List&fsbb_key=47.7.6.25.85.24.311.8.38.7.861.25&1943d881309c75c136b9fe9a2=6b9fe9a2&d965bb3e18525b3a5f0c0d5b5=MTIwMDExMDU3OQ%3D%3D&mail=&list_email[] Link to comment Share on other sites More sharing options...
agentsteal Posted January 12, 2008 Share Posted January 12, 2008 Array: http://www.comfypage.com/index.php?postback=My+ComfyPage+Signup&email[] Array: http://my.comfypage.com/agentsteal/function.php?function=Appointment%20Request&success[] Array: http://my.comfypage.com/agentsteal/mail.php?success[] Array: http://my.comfypage.com/agentsteal/files.php?folder[] Array: http://www.comfypage.com/index.php?postback=My+ComfyPage+Signup&password[] Array: http://www.comfypage.com/index.php?postback=Mailing+List&list_email[] Array: http://www.comfypage.com/index.php?content_id=2&postback=Contact+Form&email[] Cross Site Scripting: http://www.comfypage.com/index.php?postback=My+ComfyPage+Signup&email="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.comfypage.com/index.php?postback=My+ComfyPage+Signup&password="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.comfypage.com/index.php?postback=Mailing+List&list_email="><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://my.comfypage.com/agentsteal/function.php?function=Appointment Request&success=<marquee><h1>vulnerable Cross Site Scripting: http://my.comfypage.com/agentsteal/mail.php?success=<marquee><h1>vulnerable Cross Site Scripting: There is Cross Site Scripting on http://my.comfypage.com/agentsteal/function.php?function=Mailing List if the fields contain </textarea>code. Cross Site Scripting: There is Cross Site Scripting on http://my.comfypage.com/agentsteal/files.php if a folder contains ">code. Cross Site Scripting: There is Cross Site Scripting if your email address contains ">code. Cross Site Scripting: There is Cross Site Scripting when you contact support if your email address contains ">code. Cross Site Scripting: There is Cross Site Scripting on http://my.comfypage.com/agentsteal/register_with_existing_domain.php if the domain contains ">code. Cross Site Scripting: There is Cross Site Scripting when you contact support if your message contains </textarea>code. Cross Site Scripting: There is Cross Site Scripting when you add a product if the fields contain code. Cross Site Scripting: There is Cross Site Scripting on http://my.comfypage.com/agentsteal/function.php?function=Appointment Request if the fields contain ">code. Cross Site Scripting: http://www.comfypage.com/index.php?content_id=2&postback=Contact+Form&email="><marquee><h1>vulnerable</marquee> Drop Down Menu: If you edit the drop down menus on http://my.comfypage.com/agentsteal/admin.php you can submit arbitrary values. Full Path Disclosure: http://my.comfypage.com/agentsteal1/admin.php?copy Warning: array_keys() [function.array-keys]: The first argument should be an array in /home/camand/etc/code_base/working_version/common/settings.php on line 196 Warning: array_keys() [function.array-keys]: The first argument should be an array in /home/camand/etc/code_base/working_version/common/settings.php on line 196 Warning: Cannot modify header information - headers already sent by (output started at /home/camand/etc/code_base/working_version/common/settings.php:196) in /home/camand/etc/code_base/working_version/admin.php on line 109 Full Path Disclosure: http://www.comfypage.com/index.php?content_id=2&postback=Contact+Form&message[] Warning: htmlspecialchars() expects parameter 1 to be string, array given in /home/camand/etc/code_base/working_version/common/contentServer/functions/Contact Form/Contact Form.php on line 138 Full Path Disclosure: There is Full Path Disclosure on http://my.comfypage.com/agentsteal/register_confirm.php when you submit the form. Warning: require_once(common/general_settings.php) [function.require-once]: failed to open stream: No such file or directory in /home/camand/etc/code_base/working_version/common/globals.php on line 408 Fatal error: require_once() [function.require]: Failed opening required 'common/general_settings.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/camand/etc/code_base/working_version/common/globals.php on line 408 Full Path Disclosure: http://my.comfypage.com/agentsteal/margins.php?edit[] Warning: Illegal offset type in /home/camand/etc/code_base/working_version/common/contentServer/content_page.php on line 126 Warning: Illegal offset type in /home/camand/etc/code_base/working_version/common/contentServer/content_page.php on line 126 Warning: Illegal offset type in /home/camand/etc/code_base/working_version/common/contentServer/content_page.php on line 126 Full Path Disclosure: http://my.comfypage.com/agentsteal/function.php Fatal error: Call to a member function validate_doodad_settings() on a non-object in /home/camand/etc/code_base/working_version/function.php on line 112 Full Path Disclosure: http://my.comfypage.com/agentsteal/files.php?folder=a Warning: dir(site/UserFiles/a) [function.dir]: failed to open dir: No such file or directory in /home/camand/etc/code_base/working_version/common/file.php on line 34 Fatal error: Call to a member function read() on a non-object in /home/camand/etc/code_base/working_version/common/file.php on line 36 Link to comment Share on other sites More sharing options...
cameronjdavis Posted January 13, 2008 Author Share Posted January 13, 2008 When you say "Array" what is the specific problem. Array: http://www.comfypage.com/index.php?postback=My+ComfyPage+Signup&email[] Link to comment Share on other sites More sharing options...
deadimp Posted January 13, 2008 Share Posted January 13, 2008 They're setting one of the GET/POST variables as an array that is usually a scalar (not array). If you try and manipulate an array as a scalar it'll throw an error and might uncover some vulnerability. Link to comment Share on other sites More sharing options...
cameronjdavis Posted January 14, 2008 Author Share Posted January 14, 2008 Thank you for your help. I've made some changes that cover what you've found. If you would like to try it again I'd be grateful. And to anyone else. If you want to test ComfyPage and find the problems with it then please do at http://comfypage.com. You can sign up for a free website there. Link to comment Share on other sites More sharing options...
tibberous Posted January 14, 2008 Share Posted January 14, 2008 It's a cool name and idea, I'm not sure I'd call it a CMS... it doesn't really manage the content, so much as it lets you edit text files online. Link to comment Share on other sites More sharing options...
cameronjdavis Posted January 16, 2008 Author Share Posted January 16, 2008 agentsteal I found a couple of unexpected folders named 'agentsteal' on the server. Did you create those on purpose or do you think they just happen as part of your testing. It's a big security hole so I'm keen to close it. Link to comment Share on other sites More sharing options...
Recommended Posts