Test My Video Sharing Script :d

[ahzulfi]

Hello, i have made a video sharing script, i didnt take any source code of any script, it is made from a scratch, i hope its hackers safe....

here is the link

http://tune.pk

 

am still working on it, but it is ready for a test

please comment 

[Coreye]

Includes Directory:

http://tune.pk/includes/

 

Full Path Disclosure:

http://tune.pk/includes/active.php

Fatal error: Call to undefined function Assign() in /home/tuneepk/public_html/includes/active.php on line 45

 

Full Path Disclosure:

http://tune.pk/includes/defined_links.php

Fatal error: Call to undefined function Assign() in /home/tuneepk/public_html/includes/defined_links.php on line 45

 

Full Path Disclosure:

http://tune.pk/includes/modules.php

Warning: mysql_query() [function.mysql-query]: Access denied for user 'tuneepk'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/modules.php on line 18

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/tuneepk/public_html/includes/modules.php on line 18

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tuneepk/public_html/includes/modules.php on line 19

 

Full Path Disclosure:

http://tune.pk/includes/playerconfig/config.xml.php

true  true  3  On  Press start to play  true

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/tuneepk/public_html/includes/playerconfig/config.xml.php:15) in /home/tuneepk/public_html/includes/config.inc.php on line 18

/home/tuneepk/public_html/videos/ http://tune.pk/includes/playerconfig/videolist.xml.php video1.flv ./ 50 0x550000 0x6C6C6C 0x000000 0x474747 0xB62A2A 0xFF3333 0xDBDBDB 0x515151 Up Left http://www.tufat.com logo.jpg true true 375 450 80 100 _blank 50 Down false 0x000000 0x9F9F9F 30 true service@clip-bucket.com Clip-Bucket true

 

Full Path Disclosure:

http://tune.pk/includes/templatelib/Template_Compiler.class.php

Fatal error: Class 'Smarty' not found in /home/tuneepk/public_html/includes/templatelib/Template_Compiler.class.php on line 35

 

Full Path Disclosure:

http://tune.pk/includes/classes/TFile.php

Parse error: syntax error, unexpected ':' in /home/tuneepk/public_html/includes/classes/TFile.php on line 11

 

 

 

[Coreye]

Full Path Disclosure:

http://tune.pk/view_channel.php?user=%3E

Warning: Cookie names can not contain any of the folllowing '=,; \t\r\n\013\014' (view_>) in /home/tuneepk/public_html/includes/classes/user.class.php on line 439

[ahzulfi]

thanx COREYE, well as u know i havent finished making this script, i know all that errors you just quoted in ur first post but the 2nd one is really unknown ffor me, thanx for this and also tell me how to CLEAN this mess

 

[ahzulfi]

Ok i resolved it, now please tell me if i have any other Vulnerability or anything unsafe from hackers

 

thanx

 

Arslan

[lynxus]

you still have full directory listing!

 

Either edit your apache config to disable it. or just do what i do sometimes and add a blank index.html to every directory lol

[Coreye]

Only thing that was fixed was;

Full path Disclosure:

http://tune.pk/view_channel.php?user=%3E

Warning: Cookie names can not contain any of the folllowing '=,; \t\r\n\013\014' (view_>) in /home/tuneepk/public_html/includes/classes/user.class.php on line 439

 

All of the others still exist.

[agentsteal]

Array:

http://www.tune.pk/view_channel.php?user[]

 

Cross Site Scripting:

http://www.tune.pk/compose.php?msg=<marquee><h1>vulnerable</marquee>

 

Full Path Disclosure:

http://www.tune.pk/phpinfo.php

 

Full Path Disclosure:

http://www.tune.pk/channels.php?page=-1

Fatal error: Call to a member function recordcount() on a non-object in /home/tuneepk/public_html/channels.php on line 57

 

Full Path Disclosure:

http://www.tune.pk/channels.php?order[]

Warning: Illegal offset type in /home/tuneepk/public_html/channels.php on line 34

 

Warning: Illegal offset type in /home/tuneepk/public_html/channels.php on line 48

 

Full Path Disclosure:

http://www.tune.pk/includes/classes/captcha/example.php?code[]

Warning: md5() expects parameter 1 to be string, array given in /home/tuneepk/public_html/includes/classes/captcha/class.img_validator.php on line 129

 

Warning: ereg() [function.ereg]: REG_EMPTY in /home/tuneepk/public_html/includes/classes/captcha/class.img_validator.php on line 152

 

Full Path Disclosure:

http://www.tune.pk/includes/classes/captcha/example2.php?code[]

Warning: md5() expects parameter 1 to be string, array given in /home/tuneepk/public_html/includes/classes/captcha/class.img_validator.php on line 129

 

Warning: ereg() [function.ereg]: REG_EMPTY in /home/tuneepk/public_html/includes/classes/captcha/class.img_validator.php on line 152

 

Full Path Disclosure:

http://www.tune.pk/includes/active.php

Fatal error: Call to undefined function Assign() in /home/tuneepk/public_html/includes/active.php on line 45

 

Full Path Disclosure:

http://www.tune.pk/includes/defined_links.php

Fatal error: Call to undefined function Assign() in /home/tuneepk/public_html/includes/defined_links.php on line 45

 

Full Path Disclosure:

http://www.tune.pk/includes/modules.php

Warning: mysql_query() [function.mysql-query]: Access denied for user 'tuneepk'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/modules.php on line 18

 

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/tuneepk/public_html/includes/modules.php on line 18

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/tuneepk/public_html/includes/modules.php on line 19

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/adodb.php

Fatal error: Call to undefined method stdClass::Connect() in /home/tuneepk/public_html/includes/adodb/adodb.php on line 5

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/contrib/toxmlrpc.inc.php

Warning: require_once(xmlrpc.inc) [function.require-once]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/contrib/toxmlrpc.inc.php on line 20

 

Fatal error: require_once() [function.require]: Failed opening required 'xmlrpc.inc' (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/contrib/toxmlrpc.inc.php on line 20

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/datadict/datadict-firebird.inc.php

Fatal error: Class 'ADODB_DataDict' not found in /home/tuneepk/public_html/includes/adodb/datadict/datadict-firebird.inc.php on line 13

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/drivers/adodb-pdo_mssql.inc.php

Fatal error: Class 'ADODB_pdo' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo_mssql.inc.php on line 13

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/drivers/adodb-pdo_mysql.inc.php

Fatal error: Class 'ADODB_pdo' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo_mysql.inc.php on line 13

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/drivers/adodb-pdo_oci.inc.php

Fatal error: Class 'ADODB_pdo_base' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo_oci.inc.php on line 13

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/drivers/adodb-pdo_pgsql.inc.php

Fatal error: Class 'ADODB_pdo' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo_pgsql.inc.php on line 12

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/drivers/adodb-sybase_ase.inc.php

Warning: require_once(ADODB_DIR/drivers/adodb-sybase.inc.php) [function.require-once]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/drivers/adodb-sybase_ase.inc.php on line 14

 

Fatal error: require_once() [function.require]: Failed opening required 'ADODB_DIR/drivers/adodb-sybase.inc.php' (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/drivers/adodb-sybase_ase.inc.php on line 14

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/pear/Auth/Container/ADOdb.php

Warning: require_once(Auth/Container.php) [function.require-once]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/pear/Auth/Container/ADOdb.php on line 23

 

Fatal error: require_once() [function.require]: Failed opening required 'Auth/Container.php' (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/pear/Auth/Container/ADOdb.php on line 23

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/session/adodb-compress-bzip2.php

Fatal error: bzip2 functions are not available in /home/tuneepk/public_html/includes/adodb/session/adodb-compress-bzip2.php on line 14

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/session/adodb-encrypt-secret.php

Fatal error: Directory not found: '/home/tuneepk/public_html/includes/horde' in /home/tuneepk/public_html/includes/adodb/session/adodb-encrypt-secret.php on line 16

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/session/old/adodb-cryptsession.php

Warning: include(/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php) [function.include]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/session/old/adodb-cryptsession.php on line 64

 

Warning: include() [function.include]: Failed opening '/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/session/old/adodb-cryptsession.php on line 64

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/session/old/adodb-session-clob.php

Warning: include(/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php) [function.include]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/session/old/adodb-session-clob.php on line 90

 

Warning: include() [function.include]: Failed opening '/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/session/old/adodb-session-clob.php on line 90

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/session/old/adodb-session.php

Warning: include(/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php) [function.include]: failed to open stream: No such file or directory in /home/tuneepk/public_html/includes/adodb/session/old/adodb-session.php on line 100

 

Warning: include() [function.include]: Failed opening '/home/tuneepk/public_html/includes/adodb/session/old/adodb.inc.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in /home/tuneepk/public_html/includes/adodb/session/old/adodb-session.php on line 100

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/benchmark.php

Fatal error: Class 'VARIANT' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-ado5.inc.php on line 42

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/pdo.php

Fatal error:  Class 'PDO' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo.inc.php on line 166

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test-active-record.php

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 365

 

Fatal error: Call to undefined method stdClass::Execute() in /home/tuneepk/public_html/includes/adodb/tests/test-active-record.php on line 18

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test-active-recs2.php

Notice: Use of undefined constant OCI_COMMIT_ON_SUCCESS - assumed 'OCI_COMMIT_ON_SUCCESS' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Fatal error: Call to a member function ServerInfo() on a non-object in /home/tuneepk/public_html/includes/adodb/tests/test-active-recs2.php on line 21

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test-datadict.php

Notice: Use of undefined constant ODBC_BINMODE_RETURN - assumed 'ODBC_BINMODE_RETURN' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Notice: Use of undefined constant SQL_CUR_USE_DRIVER - assumed 'SQL_CUR_USE_DRIVER' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Notice: Use of undefined constant ODBC_BINMODE_RETURN - assumed 'ODBC_BINMODE_RETURN' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Notice: Use of undefined constant SQL_CUR_USE_DRIVER - assumed 'SQL_CUR_USE_DRIVER' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Fatal error: Call to undefined function pg_escape_string() in /home/tuneepk/public_html/includes/adodb/drivers/adodb-postgres64.inc.php on line 241

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test-php5.php

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 365

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test-xmlschema.php

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 365

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test.php

Warning: mysql_pconnect() [function.mysql-pconnect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 383

 

Notice: Trying to get property of non-object in /home/tuneepk/public_html/includes/adodb/tests/testdatabases.inc.php on line 244

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test2.php

Fatal error: Class 'VARIANT' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-ado5.inc.php on line 42

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test3.php

Notice: Use of undefined constant OCI_COMMIT_ON_SUCCESS - assumed 'OCI_COMMIT_ON_SUCCESS' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/test4.php

Warning: mysql_pconnect() [function.mysql-pconnect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 383

 

Fatal error: Class 'PDO' not found in /home/tuneepk/public_html/includes/adodb/drivers/adodb-pdo.inc.php on line 166

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testcache.php

Warning: mysql_pconnect() [function.mysql-pconnect]: Unknown MySQL server host 'mangrove' (1) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 383

 

Fatal error: Call to a member function GetArray() on a non-object in /home/tuneepk/public_html/includes/adodb/tests/testcache.php on line 27

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testdatabases.inc.php

Fatal error: Call to undefined function ADOLoadCode() in /home/tuneepk/public_html/includes/adodb/tests/testdatabases.inc.php on line 295

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testoci8.php

Notice: Use of undefined constant OCI_COMMIT_ON_SUCCESS - assumed 'OCI_COMMIT_ON_SUCCESS' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Fatal error: Call to undefined function OCIParse() in /home/tuneepk/public_html/includes/adodb/drivers/adodb-oci8.inc.php on line 1001

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testoci8cursor.php

Notice: Use of undefined constant OCI_COMMIT_ON_SUCCESS - assumed 'OCI_COMMIT_ON_SUCCESS' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

 

Fatal error: Call to undefined function OCIParse() in /home/tuneepk/public_html/includes/adodb/drivers/adodb-oci8.inc.php on line 790

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testpaging.php

Notice: Use of undefined constant OCI_COMMIT_ON_SUCCESS - assumed 'OCI_COMMIT_ON_SUCCESS' in /home/tuneepk/public_html/includes/adodb/adodb.inc.php on line 4084

/tmp/a1/adodb_a181357cebe358f933ab1260fe0237d1.cache cache failure: /tmp/a1/adodb_a181357cebe358f933ab1260fe0237d1.cache file/URL not found (see sql below)

 

Fatal error: Call to undefined function OCIParse() in /home/tuneepk/public_html/includes/adodb/drivers/adodb-oci8.inc.php on line 1001

 

Full Path Disclosure:

http://www.tune.pk/includes/adodb/tests/testpear.php

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: NO) in /home/tuneepk/public_html/includes/adodb/drivers/adodb-mysql.inc.php on line 365

 

Fatal error: Call to undefined method PEAR_Error::setFetchMode() in /home/tuneepk/public_html/includes/adodb/tests/testpear.php on line 24

 

Full Path Disclosure:

http://www.tune.pk/includes/classes/TFile.php

Parse error: syntax error, unexpected ':' in /home/tuneepk/public_html/includes/classes/TFile.php on line 11

 

Full Path Disclosure:

http://www.tune.pk/includes/playerconfig/config.xml.php

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/tuneepk/public_html/includes/playerconfig/config.xml.php:15) in /home/tuneepk/public_html/includes/config.inc.php on line 18

/home/tuneepk/public_html/videos/ http://tune.pk/includes/playerconfig/videolist.xml.php video1.flv ./ 50 0x550000

 

Full Path Disclosure:

http://www.tune.pk/includes/templatelib/Template_Compiler.class.php

Fatal error: Class 'Smarty' not found in /home/tuneepk/public_html/includes/templatelib/Template_Compiler.class.php on line 35

 

Full Path Disclosure:

http://www.tune.pk/includes/templatelib/plugins/modifier.date_format.php

Fatal error: Call to a member function _get_plugin_filepath() on a non-object in /home/tuneepk/public_html/includes/templatelib/plugins/modifier.date_format.php on line 11

 

Includes Directory:

http://www.tune.pk/includes/

 

Insecure Cookie:

You shouldn't put the username in the cookie.

 

SQL Dump:

http://www.tune.pk/includes/adodb/session/adodb-sessions.mysql.sql

 

SQL Dump:

http://www.tune.pk/includes/adodb/session/adodb-sessions.oracle.clob.sql

 

SQL Dump:

http://www.tune.pk/includes/adodb/session/adodb-sessions.oracle.sql

 

SQL Dump:

http://www.tune.pk/includes/adodb/tests/test-datadict.php

 

User Enumeration:

http://www.tune.pk/~tuneepk

[ahzulfi]

Thank You Bros , i have remove all the the above given errors {i guess}, but please tell me how i can Prevent the Inlcudes Directory Access, although i have put the index.php file in it but i know nothing about MOD_REWRITE  ??? so please tell me how can i change the Includes Directory Access Previliges.

 

And please tell me if there is more bugs, so that i fix em all, coz i m going to sale this script in feature.

 

Thanks

Arslan

[ahzulfi]

and one more thing, i have used POST method mostly so is it possible to do VULNERABILITY through POST methods ??