|
 |
|
|
|
| Thread title: Bug Finding ££$$££$$ |
 |
|
|
| |
|
Thread tools
Search this thread
Display Modes
|
|
|
03-10-2007, 12:25 PM
|
#1
|
Status: Sin Binner
Join date: Dec 2006
Location: Huddersfield, UK
Expertise:
Software:
Posts: 384
|
 Bug Finding ££$$££$$
Hey,
My CMS needs to be tested, there are a few pages missing i know however, www.xi0s.net/demooop.
I will give $5 to anyone who finds a security flaw in this system, Im also looking for people to find bugs also.
Thanks people  .
|
|
|
|
03-10-2007, 12:43 PM
|
#2
|
Status: We're all mad here
Join date: Aug 2005
Location: Missouri
Expertise: programming
Software: Notepad
Posts: 1,606
|
I don't have any bugs to report to you but there is a small typo on the forgotten password page that you should fix.
If you have forgotten your password then enter the email address you used to sign up with here. A new password will be emailed to you which you can should once logged in.
|
edit: another typo, this time it is on the 404 error page.
404 Error
The page you were looking for was not found, please check you entered the address correctly.
|
Another one: On the left side bar you have the word Affilates, it should be Affil iates
|
|
|
|
03-10-2007, 12:47 PM
|
#3
|
Status: I love this place
Join date: Jun 2005
Location: UK
Expertise:
Software:
Posts: 562
|
Bugs in general or security related?
|
|
|
|
03-10-2007, 01:57 PM
|
#4
|
Status: Sin Binner
Join date: Dec 2006
Location: Huddersfield, UK
Expertise:
Software:
Posts: 384
|
Well i will give $5 for security related, but if i feel the bug was major enough ill give some cash for that also. This doesnt include xhtml css bugs, the template is poor i know, but it was given by someone, im just coding the new demo template now.
|
|
|
|
03-10-2007, 02:24 PM
|
#5
|
Status: Senior Member
Join date: Jul 2005
Location:
Expertise:
Software:
Posts: 835
|
I'll take a look for bugs now .
Edit:
I couldn't really test much of the security as registration is closed, but when I try to register (In both IE7 and Opera) it comes up with the "registration is closed" error randomly between "password:" and the input box...
Looks really messed up in IE7, but just out of place in Opera.
|
|
|
|
03-10-2007, 02:39 PM
|
#6
|
Status: Sin Binner
Join date: Dec 2006
Location: Huddersfield, UK
Expertise:
Software:
Posts: 384
|
Yep new template is now functioning, so should look better .
Edit: Registration is now open for full testing .
|
|
|
|
03-10-2007, 04:38 PM
|
#7
|
Status: Request a custom title
Join date: Feb 2006
Location: Nottingham
Expertise:
Software:
Posts: 1,648
|
Several issues. I managed to set-up an XSS attack on the site. Namely here: http://www.xi0s.com/demooop/index.php?p=comments&id=4 -- All it needs is an administrator to click that link and I'll have your PHP session ID, as this is a test, I will tell you. I coded it to phone home. Sample from my log:
Cookie String: timezone=GMT; PHPSESSID=552dc330a9ec31c12757afa917c891b8
IP Address: 82.5.51.7
Hostname: cpc4-stap3-0-0-cust774.nott.cable.ntl.com
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Cookie String: PHPSESSID=95b5924288b6b035010c0bab91296ba9; timezone=GMT
IP Address: 82.5.51.7
Hostname: cpc4-stap3-0-0-cust774.nott.cable.ntl.com
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Cookie String: PHPSESSID=c29df98948d81f62c79fad28b1727ab8; timezone=GMT
IP Address: 82.71.47.239
Hostname: 82-71-47-239.dsl.in-addr.zen.co.uk
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
|
Also errors here http://www.xi0s.com/demooop/challenge.php which gives away all the file paths. These are in many places.
That's as far as I've looked into at the moment. Obviously it'd be a lot better once that administrator link works so I can try out some CSRF, etc...
How much does that pocket me then? Obviously if I waited long enough, I'd have undiluted access to your database.
|
|
|
|
03-10-2007, 04:49 PM
|
#8
|
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
Posts: 5,200
|
When you are logged in, you shouldn't have it display the admin or joinus links (unless joinus is just for joining the clan, not registering). The admin points to editprofile, but it's a 404 error, which should be fixed.
|
|
|
|
03-10-2007, 04:51 PM
|
#9
|
Status: Request a custom title
Join date: Feb 2006
Location: Nottingham
Expertise:
Software:
Posts: 1,648
|
More information from the log from people clicking the link directly from this thread:
Cookie String: timezone=VUT; PHPSESSID=be70e94c7cf6c2a892d67a9608bd693c
IP Address: 72.208.53.182
Hostname: ip72-208-53-182.ph.ph.cox.net
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Cookie String: PHPSESSID=6986f106c3f0ac416376f5e12ce14075; timezone=GMT
IP Address: 81.86.102.57
Hostname: 81-86-102-57.dsl.pipex.com
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Cookie String: PHPSESSID=6da8df13872c73ad921ea5e59e6ee5d1; timezone=GMT
IP Address: 212.32.79.58
Hostname: 212.32.79.58
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Cookie String: timezone=GMT; PHPSESSID=a4d0e358ca88ef4d3ca67ace9390d8e1
IP Address: 82.152.43.165
Hostname: 82.152.43.165
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070216 Firefox/1.5.0.10
|
|
|
|
|
03-11-2007, 10:19 AM
|
#10
|
Status: Sin Binner
Join date: Dec 2006
Location: Huddersfield, UK
Expertise:
Software:
Posts: 384
|
sessid isnt my cookie variable . But anyways, thanks wildhoney $10 is on its way to you. I have fixed these bugs now  . This is still an open invitation and i will still give money out
|
|
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|
|
Linear Mode
Forum Contains New Posts 
Forum Contains No New Posts 
Forum is Closed