quickstopman Posted January 21, 2008 Share Posted January 21, 2008 also.. please don't spam my site with all weird stuff... agentseal, everyone knows who they are. http://www.socialgrabbr.com Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/ Share on other sites More sharing options...
Coreye Posted January 21, 2008 Share Posted January 21, 2008 Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting when you login if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting when editing your profile if the fields contain ">code. Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445059 Share on other sites More sharing options...
quickstopman Posted January 21, 2008 Author Share Posted January 21, 2008 should i make them all mysql_real_escape() strings ? Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445190 Share on other sites More sharing options...
quickstopman Posted January 21, 2008 Author Share Posted January 21, 2008 well for some reason all of the things that can have cross site scripting are mysql_real_escape_string()'s how do i solve this? Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445196 Share on other sites More sharing options...
john010117 Posted January 21, 2008 Share Posted January 21, 2008 Try using htmlentities() also. Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445317 Share on other sites More sharing options...
agentsteal Posted January 21, 2008 Share Posted January 21, 2008 Cross Site Scripting: There is Cross Site Scripting when you log in if your username contains ">code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Cross Site Scripting: There is Cross Site Scripting in the profile if the fields contain ">code. User Enumeration: http://www.socialgrabbr.com/~pokebash User Enumeration: http://www.socialgrabbr.com/~root Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445436 Share on other sites More sharing options...
quickstopman Posted January 22, 2008 Author Share Posted January 22, 2008 how do i stop this!?!?!?!?! ??? ??? Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445672 Share on other sites More sharing options...
ahzulfi Posted January 22, 2008 Share Posted January 22, 2008 i use following two to make my VARIABLES clean //This For Simple Cleaning Varialble function clean($string) { $string = stripslashes($string); $string = htmlentities($string); $string = strip_tags($string); return $string; } //Mysql Clean Queries function mysql_clean($id){ $id = clean($id); if (get_magic_quotes_gpc()) { $id = stripslashes($id); } $id = mysql_real_escape_string($id); return $id; } hope this will solve your problem Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-445931 Share on other sites More sharing options...
Lumio Posted January 22, 2008 Share Posted January 22, 2008 Fatal error: Call to undefined function htmlenitities() in /home/pokebash/public_html/socialgrabbr/register.php on line 15 ... htmlentities and not htmlenitities Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-446196 Share on other sites More sharing options...
quickstopman Posted January 23, 2008 Author Share Posted January 23, 2008 i fixed the XSS thanks guys Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-446512 Share on other sites More sharing options...
Coreye Posted January 23, 2008 Share Posted January 23, 2008 Registration errors Full Path Disclosure still. Fatal error: Call to undefined function htmlenitities() in /home/pokebash/public_html/socialgrabbr/register.php on line 21 Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-446773 Share on other sites More sharing options...
helraizer Posted January 23, 2008 Share Posted January 23, 2008 Registration errors Full Path Disclosure still. Fatal error: Call to undefined function htmlenitities() in /home/pokebash/public_html/socialgrabbr/register.php on line 21 Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5 Sam Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-446964 Share on other sites More sharing options...
obsidian Posted January 23, 2008 Share Posted January 23, 2008 Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5 Sam Where did you get your information? According to the PHP manual, htmlentities is clearly available in both PHP4 and PHP5. Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-446969 Share on other sites More sharing options...
helraizer Posted January 23, 2008 Share Posted January 23, 2008 Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5 Sam Where did you get your information? According to the PHP manual, htmlentities is clearly available in both PHP4 and PHP5. Oh, my bad. I got it mixed up. Sorry. Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-447069 Share on other sites More sharing options...
darkfreaks Posted July 9, 2008 Share Posted July 9, 2008 User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Password type input with autocomplete The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off"> Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability Vulnerability description This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. Attack details Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8 How to fix this vulnerability Upgrade mod_ssl to the latest version. Link to comment https://forums.phpfreaks.com/topic/87026-any-vulnerablities/#findComment-585602 Share on other sites More sharing options...
Recommended Posts