Hinty

I cant get your password but can log in as betty md5 hash ur cookie variables

XSS http://happyhoursports.com/members.php?psearch=%22%3E%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E SQL Injection Poll system, validate poll_id and option_id. User Voting Error! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' unio' at line 1

I could put anythin i wanted including PHP and javascript

Looks all good to me

XSS http://www.burnside.net46.net/msg.php?mod=send&random=GreenCheeeeeeese"><script>alert(document.cookie);</script>

Directory Traversal On your CSS style editor found at: http://webid.freehostia.com/csseditor_.php?thestyle=themes/default/style.css&sel=.container&from=colors.php&color=border On changing the 'thestyle' to 'index.php' it edits the homepage. This could have been how your site was hacked.

Check your database for any javascript redirection

yup all good, cant find any others at the moment

Thers also another XSS vulnerability present with same deals section. You can use it by entering javascript:alert(document.cookie); into the '** I JOIN' field. This requires the user to click the link for the attack to happen. Its also displaying the values twice, is that supposed to happen?

XSS is present on the deals section. when inserting a deal enter <script>alert(document.cookie);</script> and a popup will appear when viewing list of deals.

People are not here to perform penetration tests on your behalf. The aim is to solely to test errors present on the website application and receive guidance from experienced coders to rectify those errors. Regarding the frontpage it is extremely unsecure including the OpenSSL. As far as security went on that server i dnt think its even been thought of.

Well if a number of ppl r using automated scans, thats thousands of requests. hosting accounts gives limited bandwidth to users and each request uses a very minor amount of bandwidth. A few scans shouldn't damage your bandwidth usage but try and resort to manual testing.

yea sorry my mistake, addeals page not registration

That would be the use of automated scans, than send thousands of requests and guessing they bombarded your registration form.

Then its not the application that has the errors its the redirection either by server or application. SQL Inject Me is flagging that up as just an unexpected response not a SQL injection vulnerability. p.s. Don't use SQL inject me