Jump to content

Beta Site


CMC

Recommended Posts

Hi,

 

Well, I've been working on my site on and off for about 6-7 months now (maybe one 2-3 days of work a month  ;D) and it's been really progessing. In fact, it's almost complete. I've only got a few more scripts to write and integrate plus a couple more features. I decided it's time to have it audited. Myself, I have tried the basic stuff, some XSS, path disclosures etc but I haven't been able to get any results. However, I'm no expert in vulnerability exploitation, so I was hoping some of you crazy folk (:P) would kindly help me out and see if any bugs can be found. (and reported)

 

I'd appreciate if the actual domain and name of the site were kept hidden (Google seems to index posts here pertty fast) and if any huge risks are exposed, they won't be taken advantage of (too badly, i.e: taking over my server :P).

 

Right, so down to the nitty gritty. Here's my URL: http://tinyurl.com/yrjmvr

Thanks for any help!

-CMC

 

Also visual bug notification would be greatly appreciated.(I'm aware of alignment issues between IE and FX)

Link to comment
Share on other sites

  • 1 month later...

@hassank1: If you don't protect the dir, people can then access the files.  If the filename is .inc instead of .php, it may be skipped by the parser and the 'hacker' would be able to see everything contained inside.  So now imaging you have a constants.inc with the password to you database ...

Link to comment
Share on other sites

Servers do not know how to handle .inc files; they process them like text files, so all of the info is displayed.  When you use .php, nothing is displayed, so your information is safe.

 

.inc is the short name for "include", which was just convenient for some person sometime.  Unless you configure your server correctly, it is not safe to use .inc files.

Link to comment
Share on other sites

I personally use .inc.php -- i like the 'inc' keyword there to remind me what 'db' or 'user' or whatever file is.  user.php could be anything -- maybe it shows online users.  user.inc.php immediately tells me it's my included library of user functions/classes.

Link to comment
Share on other sites

  • 2 weeks later...

@hassank1: If you don't protect the dir, people can then access the files.  If the filename is .inc instead of .php, it may be skipped by the parser and the 'hacker' would be able to see everything contained inside.  So now imaging you have a constants.inc with the password to you database ...

 

 

thanks for the information.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.