A2xA Posted January 29, 2008 Share Posted January 29, 2008 On My site http://wiicharged.com I have made the game hubs option. Right now the options that I'm wanting you to test out are the create a hub and join a hub option. The hub can be found here http://wiicharged.com/index.php?action=hubs First thing to test security: Make the hubs. http://wiicharged.com/index.php?action=hubs;sa=make; How this works is when they create a hub the first step actually creates the folder and the second step copyies the main "hub" files from a directory to their folder. When they think their confirming it or whatever (clever ) Second thing to test security Join the hubs/actual hub itself http://wiicharged.com/index.php?action=hubs;sa=join; The user types in their "hub ID" and it pops up their "hub" Which is a flash file that writes to a txt file. Don't bash it up too much. It's my first script and I plan to add more later. As for the visual aspect of it. I'm not done. I just tried to put the main stuff in there (the script) Please tell me how I can improve the security of my script before I release it? Thanks! Link to comment Share on other sites More sharing options...
A2xA Posted January 29, 2008 Author Share Posted January 29, 2008 Dammint I guess it wasn't secure. Some people made some stuff that I didn't want and I was "Hacked" I guess. On the folders option they made it and now I can't delete it. My site is on maintenece now. Thanks guys I really appreciate it. Link to comment Share on other sites More sharing options...
A2xA Posted January 29, 2008 Author Share Posted January 29, 2008 Okay I managed to delete the stuff before it could do any damage. Once again thank you for whoever was doing that. It even screwed up the chat. Anyways....can someone help me make this more secure. It's apparently easy to get into because within 30 seconds of opening this thread it happened Link to comment Share on other sites More sharing options...
agentsteal Posted January 29, 2008 Share Posted January 29, 2008 Admin Access: http://www.wiicharged.com/hubs/hubs(backup).html contains your username and password. Cross Site Scripting: There is Cross Site Scripting if the hub name contains ">code. Directory Transversal: There is Directory Transversal if the hub name contains ../ Full Path Disclosure: http://www.wiicharged.com/hubchat/hubex/shout.php Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/hubex/shout.php:4) in /home/wiicharg/public_html/hubchat/hubex/shout.php on line 9 Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/hubex/shout.php:4) in /home/wiicharg/public_html/hubchat/hubex/shout.php on line 10 Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/hubex/shout.php:4) in /home/wiicharg/public_html/hubchat/hubex/shout.php on line 11 Full Path Disclosure: http://www.wiicharged.com/hubchat/insert.php Warning: mkdir() [function.mkdir]: File exists in /home/wiicharg/public_html/hubchat/insert.php on line 6 Full Path Disclosure: http://www.wiicharged.com/hubchat/shout.php Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/shout.php:4) in /home/wiicharg/public_html/hubchat/shout.php on line 9 Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/shout.php:4) in /home/wiicharg/public_html/hubchat/shout.php on line 10 Warning: Cannot modify header information - headers already sent by (output started at /home/wiicharg/public_html/hubchat/shout.php:4) in /home/wiicharg/public_html/hubchat/shout.php on line 11 Full Path Disclosure: http://www.wiicharged.com/hubchat/test.php Warning: mkdir() [function.mkdir]: File exists in /home/wiicharg/public_html/hubchat/test.php on line 3 Full Path Disclosure: http://www.wiicharged.com/hubs/table.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'hub'@'localhost' (using password: YES) in /home/wiicharg/public_html/hubs/table.php on line 6 Full Path Disclosure: http://www.wiicharged.com/hubs/put.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'wiicharg_smf2'@'localhost' (using password: YES) in /home/wiicharg/public_html/hubs/put.php on line 3 Access denied for user 'wiicharg_smf2'@'localhost' (using password: YES) Full Path Disclosure: http://www.wiicharged.com/hubs/insert.php Warning: mkdir() [function.mkdir]: File exists in /home/wiicharg/public_html/hubs/insert.php on line 6 Full Path Disclosure: http://www.wiicharged.com/hubs/database.php Error creating database: Access denied for user 'wiicharg_hubs'@'localhost' to database 'my_db' PHP Source Code Disclosure: http://www.wiicharged.com/hubs/hubs(backup).html PHP Source Code Disclosure: http://www.wiicharged.com/hubchat/shoutfile.txt User Enumeration: http://www.wiicharged.com/~root User Enumeration: http://www.wiicharged.com/~wiicharg You can create folders in http://www.wiicharged.com/hubchat/ if the hub name is set to the folder name. You can create folders in any directory if the hub name is set to ../foldername. You can create txt files in http://www.wiicharged.com/hub/ on http://www.wiicharged.com/hubs/1.php Link to comment Share on other sites More sharing options...
Coreye Posted January 29, 2008 Share Posted January 29, 2008 Cross Site Scripting: You can submit ">code on http://www.wiicharged.com/hubchat/popup.php and http://www.wiicharged.com/hubs/popup.php. Cross Site Scripting: You can submit ">code on http://www.wiicharged.com/hubchat/make.php and http://www.wiicharged.com/hubs/make.php. Link to comment Share on other sites More sharing options...
Coreye Posted January 29, 2008 Share Posted January 29, 2008 Cross Site Scripting: You can submit ">code on http://wiicharged.com/index.php?action=hubs;sa=join; Link to comment Share on other sites More sharing options...
A2xA Posted January 29, 2008 Author Share Posted January 29, 2008 can you tell me how to fix some of this stuff because apparently I'm not very good at securing my script :-\ Link to comment Share on other sites More sharing options...
tibberous Posted January 30, 2008 Share Posted January 30, 2008 Sweet looking site - shame it got ate so fast. Link to comment Share on other sites More sharing options...
valtido Posted January 30, 2008 Share Posted January 30, 2008 you website is amazing lool i got one but i just dont have the patience to make it good loool however the games are down at the bottom and ppl might find it annoying to scroll loool if that helps anybit Link to comment Share on other sites More sharing options...
A2xA Posted January 31, 2008 Author Share Posted January 31, 2008 games are down? Link to comment Share on other sites More sharing options...
A2xA Posted January 31, 2008 Author Share Posted January 31, 2008 oh and thanks for the compliment by the way. Your site is cool too! Link to comment Share on other sites More sharing options...
phpSensei Posted January 31, 2008 Share Posted January 31, 2008 Just a little advice, make your little clock tick the other way around. Other then that, I have only found or came by a few of the bugs Agent Posted. Protect those files by redirecting anonymous users from accessing them... Link to comment Share on other sites More sharing options...
A2xA Posted January 31, 2008 Author Share Posted January 31, 2008 okay thanks, I have fixed the forms with form validation and re-directed members that haven't joined. And deleted all files that needed to be deleted. Thanks for the advice and help! Link to comment Share on other sites More sharing options...
sub7av Posted January 31, 2008 Share Posted January 31, 2008 phpSensei You took nearly $500 from me for a project and you have not done anything or even contacted me. Send me my money back right now or I will contact the police, dont mess with me! You come online like its nothing, I done some research and found others you have scammed also out of money. Do not test me! Send me every single penny back or you will be going to jail! Link to comment Share on other sites More sharing options...
A2xA Posted February 1, 2008 Author Share Posted February 1, 2008 what the heck are you talking about? Nevermind, I thought you were talking to me. Link to comment Share on other sites More sharing options...
helraizer Posted February 1, 2008 Share Posted February 1, 2008 phpSensei You took nearly $500 from me for a project and you have not done anything or even contacted me. Send me my money back right now or I will contact the police, dont mess with me! You come online like its nothing, I done some research and found others you have scammed also out of money. Do not test me! Send me every single penny back or you will be going to jail! Maybe that'll teach you to pay upfront, aye? Link to comment Share on other sites More sharing options...
phpSensei Posted February 1, 2008 Share Posted February 1, 2008 phpSensei You took nearly $500 from me for a project and you have not done anything or even contacted me. Send me my money back right now or I will contact the police, dont mess with me! You come online like its nothing, I done some research and found others you have scammed also out of money. Do not test me! Send me every single penny back or you will be going to jail! Who the hell are you? The only person I am working with right now is Unik Design you jack ass... I know who this is, and its not working. Link to comment Share on other sites More sharing options...
phpSensei Posted February 1, 2008 Share Posted February 1, 2008 Stop lying you jack ass Link to comment Share on other sites More sharing options...
phpSensei Posted February 1, 2008 Share Posted February 1, 2008 Link to comment Share on other sites More sharing options...
phpSensei Posted February 1, 2008 Share Posted February 1, 2008 Link to comment Share on other sites More sharing options...
phpSensei Posted February 1, 2008 Share Posted February 1, 2008 Link to comment Share on other sites More sharing options...
Recommended Posts