chrischen Posted February 19, 2008 Share Posted February 19, 2008 I've pretty much completed my website. All that's left is a few more layout stuff. If you guys could test out my site that would be great. The search, registration system, login system, coupon and merchant saving system, all have lots of areas where one can hack. I've tried to take in to consideration the security for these features but my PHP knowledge is limited so I would really appreciate it if anyone can point out any problems. If you need some of my PHP code I can provide that too. The site is www.shopwisely.org. It's a nonprofit website that allows you to donate a percentage of what you spend online to charity at no extra cost to you. Some of the stuff that needs to be tested requires an account though. To check if someone is logged in I check to see if a session variable containing their unique 64 char ID which is never revealed is set. Thanks! Link to comment Share on other sites More sharing options...
agentsteal Posted February 19, 2008 Share Posted February 19, 2008 Cross Site Scripting: http://www.shopwisely.org/save.php?totalRows_newdeals=1<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.shopwisely.org/save.php?"><marquee><h1>vulnerable</marquee> Full Path Disclosure: http://www.shopwisely.org/save.php?pageNum_newdeals[] Fatal error: Unsupported operand types in /home/awemptyn/public_html/donate/save.php on line 45 Full Path Disclosure: http://www.shopwisely.org/~awemptyn Warning: require(/home/awemptyn/public_html/donate/boards/SSI.php) [function.require]: failed to open stream: No such file or directory in /home/awemptyn/public_html/includes/header.inc on line 1 Fatal error: require() [function.require]: Failed opening required '/home/awemptyn/public_html/donate/boards/SSI.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/awemptyn/public_html/includes/header.inc on line 1 Full Path Disclosure: http://www.shopwisely.org/save.php?totalRows_newdeals[] Fatal error: Unsupported operand types in /home/awemptyn/public_html/donate/save.php on line 75 SQL Error: http://www.shopwisely.org/save.php?pageNum_newdeals=-1 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-11, 11' at line 1 User Enumeration: http://www.shopwisely.org/~awemptyn User Enumeration: http://www.shopwisely.org/~root Link to comment Share on other sites More sharing options...
chrischen Posted February 19, 2008 Author Share Posted February 19, 2008 Hey great thanks but how do I fix this one: http://www.shopwisely.org/save.php?pageNum_newdeals[] and this one http://www.shopwisely.org/~awemptyn These two don't seem to be a problem, or are they? http://www.shopwisely.org/save.php?"><marquee><h1>vulnerable</marquee> http://www.shopwisely.org/~root Link to comment Share on other sites More sharing options...
blackcell Posted February 22, 2008 Share Posted February 22, 2008 Hey great thanks but how do I fix this one: http://www.shopwisely.org/save.php?pageNum_newdeals[] and this one http://www.shopwisely.org/~awemptyn These two don't seem to be a problem, or are they? http://www.shopwisely.org/save.php?"><marquee><h1>vulnerable</marquee> http://www.shopwisely.org/~root The one mentioned above that returns an error because require(blah blah) failed seems to be you are requiring a file and the filepath is bad. But what is the /~awemptyn/ Link to comment Share on other sites More sharing options...
redarrow Posted February 24, 2008 Share Posted February 24, 2008 chrischen the idear off the web site is grate but just a quick quistion.......... How the hell did you get all them companys to give commision......... well done i say nice looking web site........ or is it you charge for links being added to the web site and all current users from your web site get a cupion....... the cupion will match the referal link code......... am i nearly there lol..... ps.. there comission for $20 from your links but i only spent $1 from your link that means that company lost $19 so in essance that company soon goes bankrupt..... Link to comment Share on other sites More sharing options...
Recommended Posts