drisate Posted February 19, 2008 Share Posted February 19, 2008 What do you think :-) http://versatilebb.com/demo User: admin Password: demo Link to comment Share on other sites More sharing options...
Coreye Posted February 20, 2008 Share Posted February 20, 2008 Full Path Disclosure: http://versatilebb.com/demo/forum.php?target=/ Fatal error: Call to undefined function: htmlspecialchars_decode() in /home/versatil/public_html/demo/forum.php on line 252 Cross Site Scripting: http://versatilebb.com/demo/index.php?target=profile&select=%22%3E%3Cmarquee%3E%3Ch1%3ECorey Cross Site Scripting: Theres Cross Site Scripting if your post contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Email:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Email repeat' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Homepage' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'ICQ:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'AIM:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'Yahoo:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing your profile if field 'MSN:' contains ">code. Cross Site Scripting: Theres Cross Site Scripting when editing add a forum board if the name or description contains ">code. Link to comment Share on other sites More sharing options...
drisate Posted February 20, 2008 Author Share Posted February 20, 2008 wow thanks thats gona help :-) you found 2 new places If you have a sec take a look at http://www.phpfreaks.com/forums/index.php/topic,183166.0.html That could solve every problems one shot. I got the php error solved Fatal error: Call to undefined function: htmlspecialchars_decode() in /home/versatil/public_html/demo/forum.php on line 252 But to have the target=/ stoped i am gona have to restructure the page >.< I really appreciate this. Thanks corvex :-) I hope my board can one day be as good as all the others out there. Link to comment Share on other sites More sharing options...
skiingguru1611 Posted February 22, 2008 Share Posted February 22, 2008 I don't really know how to test for security flaws, but for what it's worth I like the site. Keep up the good work!!! Link to comment Share on other sites More sharing options...
TheFilmGod Posted February 22, 2008 Share Posted February 22, 2008 This isn't really security, but when you try to recover your password by writing in an email address, I can write anything in there. You shouldn't waste time searching MYSQL if the inputted email address doesn't validate. I tried "hello123.com" which isn't a valid email add. Hope that helps? - Oh and I have a question, did you make that earth logo yourself? Looks pretty good. Link to comment Share on other sites More sharing options...
drisate Posted February 22, 2008 Author Share Posted February 22, 2008 i am currently testing a new script i made function safeEscapeString($string){ if (get_magic_quotes_gpc()) { return $string; } else { return mysql_real_escape_string($string); } } function cleanVar($string){ $string = trim($string); $string = safeEscapeString($string); $string = htmlentities($string); return $string; } if (isset($_POST)){ $empty = $POST_ = array(); foreach ($_POST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $POST_[$varname] = cleanVar($varvalue); //$POST_[$varname] = $varvalue; //echo "POST var $varname = $POST_[$varname]<br>"; // DEBUG } } } if (isset($GET_)){ $empty = $GET_ = array(); foreach ($GET_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $GET_[$varname] = cleanVar($varvalue); //$GET_[$varname] = $varvalue; //echo "GET var $varname = $GET_[$varname]<br>"; // DEBUG } } } if (isset($COOKIE_)){ $empty = $COOKIE_ = array(); foreach ($COOKIE_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $COOKIE_[$varname] = cleanVar($varvalue); //$COOKIE_[$varname] = $varvalue; //echo "COOKIE var $varname = $COOKIE_[$varname]<br>"; // DEBUG } } } if (isset($REQUEST_)){ $empty = $REQUEST_ = array(); foreach ($REQUEST_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $REQUEST_[$varname] = cleanVar($varvalue); //$REQUEST_[$varname] = $varvalue; //echo "REQUEST var $varname = $REQUEST_[$varname]<br>"; // DEBUG } } } I found a software called "IinfoRapid Search and replace" that replaced all $_POST, $_GET, $_COOKIE and $_REQUEST to the cleaned version $POST_, $GET_, $COOKIE_ and $REQUEST_ automatocly all in one shot hehe saved me hours and didin't miss one! Anyway, i hope this is gona solve every security issues. Abbout the email bug i am gona make it return an error message if not valid thanks. Link to comment Share on other sites More sharing options...
drisate Posted February 22, 2008 Author Share Posted February 22, 2008 would be more like if (isset($_POST)){ $empty = $POST_ = array(); foreach ($_POST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $POST_[$varname] = cleanVar($varvalue); //$POST_[$varname] = $varvalue; //echo "POST var $varname = $POST_[$varname]<br>"; // DEBUG } } } if (isset($_GET)){ $empty = $GET_ = array(); foreach ($_GET as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $GET_[$varname] = cleanVar($varvalue); //$GET_[$varname] = $varvalue; //echo "GET var $varname = $GET_[$varname]<br>"; // DEBUG } } } if (isset($_COOKIE)){ $empty = $COOKIE_ = array(); foreach ($_COOKIE as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $COOKIE_[$varname] = cleanVar($varvalue); //$COOKIE_[$varname] = $varvalue; //echo "COOKIE var $varname = $COOKIE_[$varname]<br>"; // DEBUG } } } if (isset($_REQUEST)){ $empty = $REQUEST_ = array(); foreach ($_REQUEST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $REQUEST_[$varname] = cleanVar($varvalue); //$REQUEST_[$varname] = $varvalue; //echo "REQUEST var $varname = $REQUEST_[$varname]<br>"; // DEBUG } } } lol i call those beer typos hehe Link to comment Share on other sites More sharing options...
agentsteal Posted February 24, 2008 Share Posted February 24, 2008 Array: http://www.versatilebb.com/demo/index.php?target=viewforum&select[] Cross Site Scripting: http://www.versatilebb.com/demo/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if a post contains ">code. Cross Site Scripting: There is Cross Site Scripting in the profile if the fields contain ">code. Full Path Disclosure: http://www.versatilebb.com/demo/index.php?target[] Fatal error: Call to undefined function: htmlspecialchars_decode() in /home/versatil/public_html/demo/forum.php on line 252 Full Path Disclosure: http://www.versatilebb.com/demo/dereferrer.php?url[] Warning: urldecode() expects parameter 1 to be string, array given in /home/versatil/public_html/demo/dereferrer.php on line 19 URL Inclusion: http://www.versatilebb.com/demo/dereferrer.php?url=google.com User Enumeration: http://www.versatilebb.com/~root User Enumeration: http://www.versatilebb.com/~versatil Link to comment Share on other sites More sharing options...
Recommended Posts