Jump to content

any vulnerablities???


quickstopman

Recommended Posts

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting when you login if the fields contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting when editing your profile if the fields contain ">code.

Link to comment
Share on other sites

Cross Site Scripting:

There is Cross Site Scripting when you log in if your username contains ">code.

 

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain ">code.

 

Cross Site Scripting:

There is Cross Site Scripting in the profile if the fields contain ">code.

 

User Enumeration:

http://www.socialgrabbr.com/~pokebash

 

User Enumeration:

http://www.socialgrabbr.com/~root

Link to comment
Share on other sites

i use following two to make my VARIABLES clean

 

//This For Simple Cleaning Varialble
function clean($string) {
	 $string = stripslashes($string);
	 $string = htmlentities($string);
	 $string = strip_tags($string);
	 return $string;
}

//Mysql Clean Queries

function mysql_clean($id){
	$id = clean($id);
	if (get_magic_quotes_gpc())
	{
	$id = stripslashes($id);
	}
$id = mysql_real_escape_string($id);
return $id;
}

 

hope this will solve your problem

Link to comment
Share on other sites

Registration errors Full Path Disclosure still.

Fatal error: Call to undefined function htmlenitities() in /home/pokebash/public_html/socialgrabbr/register.php on line 21

 

Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5

 

Sam

Link to comment
Share on other sites

Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5

 

Sam

 

Where did you get your information? According to the PHP manual, htmlentities is clearly available in both PHP4 and PHP5.

Link to comment
Share on other sites

Just so you know (quickstopman), htmlentities is only available in php5 so if your host has anything less then it will not work and if they have php4 and php5 (like flowinernet) then .php will be php4 by default. So you might need to save it as .php5

 

Sam

 

Where did you get your information? According to the PHP manual, htmlentities is clearly available in both PHP4 and PHP5.

 

Oh, my bad. I got it mixed up. Sorry.

Link to comment
Share on other sites

  • 5 months later...

User credentials are sent in clear text

 

The impact of this vulnerability

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability

Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection.

Password type input with autocomplete

 

 

The impact of this vulnerability

Possible sensitive information disclosure

 

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

 

 

Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability

Vulnerability description

This alert was generated using only banner information. It may be a false positive.

 

A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures.

 

Affected mod_ssl versions (up to 2.8.17).

 

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

 

Attack details

Current version is mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.8

 

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.