rex9990 Posted February 22, 2008 Share Posted February 22, 2008 Can someone have a look at my site and see if there are any problems with it. Its a holiday rental site, not all the pages are 100% done but a fair chunk is link : www.rent-that-home.com Thanks Steve p.s Just remembered you can log in on the site using test as username and password Link to comment Share on other sites More sharing options...
Coreye Posted February 22, 2008 Share Posted February 22, 2008 SQL Error: http://www.rent-that-home.com/search.php?page You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 1 Full Path Disclosure: http://www.rent-that-home.com/includes.php Warning: mysql_query() [function.mysql-query]: Access denied for user 'rentwil0'@'localhost' (using password: NO) in /home/rentwil0/public_html/includes.php on line 5 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/rentwil0/public_html/includes.php on line 5 Access denied for user 'rentwil0'@'localhost' (using password: NO) Cross Site Scripting: You can enter ">code when editing your profile. Full Path Disclosure: http://www.rent-that-home.com/info.php?id[] Warning: setcookie() expects parameter 2 to be string, array given in /home/rentwil0/public_html/info.php on line 38 Link to comment Share on other sites More sharing options...
drisate Posted February 23, 2008 Share Posted February 23, 2008 I found a few as well Cross Site Scripting in forgot.php The POST variable u2 in forgot.php has been set to >'><ScRiPt%20%0a%0d>alert(is vulnerable)%3B</ScRiPt> and i got a positive alert box Blind SQL/XPath injection The POST variable p2 and yourcode in register.php is vulnerable SQL Injection http://www.rent-that-home.com/search.php?c='&s=1&page=1&AgentID=2&search_city=111-222-1933email@address.com&search_state=111-222-1933email@address.com&search_country=111-222-1933email@address.com&search_PropertyType=111-222-1933email@address.com&MinPrice=111-222-1933email@address.com&MaxPrice=111-222-1933email@address.com&rooms1=111-222-1933email@address.com&rooms2=111-222-1933email@address.com&bath1=111-222-1933email@address.com&bath2=111-222-1933email@address.com&before=111-222-1933email@address.com&school=111-222-1933email@address.com&transit=111-222-1933email@address.com&park=111-222-1933email@address.com&ocean_view=111-222-1933email@address.com&lake_view=111-222-1933email@address.com&mountain_view=111-222-1933email@address.com&ocean_waterfront=111-222-1933email@address.com&lake_waterfront=111-222-1933email@address.com&river_waterfront=111-222-1933email@address.com&city=111-222-1933email@address.com&p=111-222-1933email@address.com&r=111-222-1933email@address.com You should also be carfule to PHPSESSID session fixation attaks ... because i think your vulnerable to it. By injecting a custom PHPSESSID is possible to alter the PHP session cookie. I am currently having abbout the same problems on my beta board ... >.< it's a paine ... Link to comment Share on other sites More sharing options...
php_tom Posted February 24, 2008 Share Posted February 24, 2008 full path disclosure in http://www.rent-that-home.com/test.php your "forgot password" script lets me figure out usernames. for example entering username "root" says "There is no username root in our database!", but username "rex9990" says "Your login details have been forwarded to your email account". in info.php, you should check that the property exists before you display its info: http://www.rent-that-home.com/info.php?id=1203948520948523413 Link to comment Share on other sites More sharing options...
agentsteal Posted February 24, 2008 Share Posted February 24, 2008 Cross Site Scripting: http://www.rent-that-home.com/basicsearch.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.rent-that-home.com/search.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting on http://www.rent-that-home.com/forgot.php if the username contains code. Drop Down Menu: If you edit the drop down menus on http://www.rent-that-home.com/ you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.rent-that-home.com/advanced.php you can submit arbitrary values. Drop Down Menu: If you edit the drop down menus on http://www.rent-that-home.com/basic.php you can submit arbitrary values. Full Path Disclosure: http://www.rent-that-home.com/search.php?p=' Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/rentwil0/public_html/search.php on line 272 Unknown column 're_listings.Price' in 'order clause' Full Path Disclosure: http://www.rent-that-home.com/test.php Warning: imagecreatefrompng(lipsum.png) [function.imagecreatefrompng]: failed to open stream: No such file or directory in /home/rentwil0/public_html/test.php on line 38 Warning: imagecolorallocate(): supplied argument is not a valid Image resource in /home/rentwil0/public_html/test.php on line 41 Warning: getimagesize(lipsum.png) [function.getimagesize]: failed to open stream: No such file or directory in /home/rentwil0/public_html/test.php on line 47 Warning: imagestring(): supplied argument is not a valid Image resource in /home/rentwil0/public_html/test.php on line 58 Warning: imagepng(): supplied argument is not a valid Image resource in /home/rentwil0/public_html/test.php on line 61 Warning: imagedestroy(): supplied argument is not a valid Image resource in /home/rentwil0/public_html/test.php on line 64 Full Path Disclosure: http://www.rent-that-home.com/includes.php Warning: mysql_query() [function.mysql-query]: Access denied for user 'rentwil0'@'localhost' (using password: NO) in /home/rentwil0/public_html/includes.php on line 5 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/rentwil0/public_html/includes.php on line 5 Access denied for user 'rentwil0'@'localhost' (using password: NO) SQL Error: http://www.rent-that-home.com/search.php?page You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 1 User Enumeration: http://www.rent-that-home.com/~rentwil0 User Enumeration: http://www.rent-that-home.com/~root User Enumeration: http://www.rent-that-home.com/~nobody Link to comment Share on other sites More sharing options...
rex9990 Posted February 25, 2008 Author Share Posted February 25, 2008 Thanks guys for that Link to comment Share on other sites More sharing options...
Recommended Posts