Beta Site

[CMC]

Hi,

 

Well, I've been working on my site on and off for about 6-7 months now (maybe one 2-3 days of work a month  ) and it's been really progessing. In fact, it's almost complete. I've only got a few more scripts to write and integrate plus a couple more features. I decided it's time to have it audited. Myself, I have tried the basic stuff, some XSS, path disclosures etc but I haven't been able to get any results. However, I'm no expert in vulnerability exploitation, so I was hoping some of you crazy folk () would kindly help me out and see if any bugs can be found. (and reported)

 

I'd appreciate if the actual domain and name of the site were kept hidden (Google seems to index posts here pertty fast) and if any huge risks are exposed, they won't be taken advantage of (too badly, i.e: taking over my server ).

 

Right, so down to the nitty gritty. Here's my URL: http://tinyurl.com/yrjmvr

Thanks for any help!

-CMC

 

Also visual bug notification would be greatly appreciated.(I'm aware of alignment issues between IE and FX)

[john010117]

Just found the include directory. Huge security risk.

[CMC]

thanks I'll fix the CHMOD ASAP.

[hassank1]

what could be the disadvantages if you found the include dir !!

 

and how to fix that ! ?

 

thx

[947740]

If you do not protect your code (give the filenames wrong extensions), people may be able to see your passwords and things like that.

 

Is that url supposed to redirect me to:

 

http://www.ridemtl.com/index.php

 

?

[hassank1]

Ok.. but I am not sure I've totally get your point !

 

what's the relation between include dir . and ppl know my passwords !!

 

and which password(s) ??

[nloding]

@hassank1: If you don't protect the dir, people can then access the files.  If the filename is .inc instead of .php, it may be skipped by the parser and the 'hacker' would be able to see everything contained inside.  So now imaging you have a constants.inc with the password to you database ...

[hassank1]

aha Okay .. now I've understood better ..

 

well ! when I want to use .inc ..  I used it as follow .. file.inc.php !!

 

abt protecting dir .. u are talk about set permissions like rwxr--r-- for example !

[djpic]

yes, what is the point of using the .inc extension anyways?  I have always used .php even with my included files.  Does it change anything with how the page loads?

[947740]

Servers do not know how to handle .inc files; they process them like text files, so all of the info is displayed.  When you use .php, nothing is displayed, so your information is safe.

 

.inc is the short name for "include", which was just convenient for some person sometime.  Unless you configure your server correctly, it is not safe to use .inc files.

[nloding]

I personally use .inc.php -- i like the 'inc' keyword there to remind me what 'db' or 'user' or whatever file is.  user.php could be anything -- maybe it shows online users.  user.inc.php immediately tells me it's my included library of user functions/classes.

[947740]

I just put all of those files in an includes folder.  OOopps!

 

It keeps them separated, and I know which files are which.

[dare87]

along with the chmod I would do a .htaccess

 

That way it doesn't say error 403 but just redirects them to the home page...

[juliston]

@hassank1: If you don't protect the dir, people can then access the files.  If the filename is .inc instead of .php, it may be skipped by the parser and the 'hacker' would be able to see everything contained inside.  So now imaging you have a constants.inc with the password to you database ...

 

 

thanks for the information.