The results of your testing

intranet.cs.aau.dk
  • No tags were found...

The results of your testing

Timestamp4/13/2011 14:45:48No. of bugs foundin black-box testNo. of bugs foundin white-box testList of all bugs found in DUHTotal bugs foundsearch.php - Search page suciptibleto sql injection, doesnt sanitize inputin field, select query uses 8 columnslogin.php - SQL injection. Log in asanyone (' OR '1'='1 in both fields oradd AND username 'admin inpassword field)member.php - Stored XSS with realname field also shows the storedXSS immediatly (doesnt sanitizeinput in realname fieldfaq.php - Unsanitized GETparameter can be use for SQLinjectionadmin.php - checks permissionswith javascript, disable to beallowed. Can prompte by using&action=promote&uid=UID of usermember.php - CV field does notvalidate input file, upload of php filespossible for later execution (insertuploads/filename in url)config.inc - No password ondatabasehelloworld.php - Uses unsanitizedRequest parameter "name". Caninsert script thus XSS vulnerableadmin.php - access check is basedon cookiemember.php - link to admin page ishidden as a HTML comment if theuser is not bofhsearch.php - can be modified toshow what ever information from thedatabase wanted by making a querywith 8 columns and making thedesired field have the name "name"or as column nr 4signup.php - suciptible to same fileupload problem as member.php cvfield. All files allowed but must beunder 20kb 6 6 12


TimestampList of all bugs found in DUHSQL Injection point in:- Admin links (promote, demote,delete)- Signup/edit form- Search query- File upload names- FAQ questions- LoginNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs foundXSS injection points:- Search- Edit/register form fieldsAuthorization bugs:- Admin check using cookie- Admin tasks like promote executedserverside, before cookie check (noneed to tamper cookie)- Admin link as comment in sourceon members pageFile bugs:- No type check on CV- Mime check on image may betampered with- Page-get-variable may be used forlocal file inclusion (like /etc/passwd)- Config.inc visible in browser4/13/2011 14:48: - Directory traversal49 - search.php.save 14 3 174/13/2011 14:52:36 4 4 8- Kunne oploade en .php-fil som cvunder signup-vinduet.- SQL injection på login-siden medusername " admin " og password " 'or '1'='1 ".4/13/2011 14:53:36- config.inc tilgås let fra browseren,og man kan læse username ogpassword til databasen. 2 1 3


TimestampList of all bugs found in DUHSQL injection ved GET i FAQsøgningNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs foundSql injection ved login' or '1'='1 logger ind som adminPHP fil kan uploades i CV signupfelt.Ved redigering af personligeinformationer kan man hente enlang query fra databasen.4/13/2011 14:53:45Config fil kan hentes udenproblemer. 4 1 5no sanitizing of input in passwordsfor logincreate user doesn't either forusernameCV doesn't object in the least aboutaccepting php files.admin.php relies on javascript toredirect people from the admin pageif user != BOFHthe switch case in admin.php justconcatanates input of the GEToperation to the end of the SQLstatement4/13/2011 14:55:37FAQ.php inserts directly in premadesql statements and doesn'tparameterise inputs.returns complete SQL errormessage.3 4 3


TimestampList of all bugs found in DUHblackboxsql injection on signup'1'='1' in loginjavascript XSS in user namesignup picture form. Using mimetype for validationsql injection in searchNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs found4/13/2011 14:56:084/13/2011 14:58:10whiteboxhello world XSSconfig.inc kan læsesindex.php kan include txt filer fraupload formen som indeholderskadelig kodeadmin.php check is done client-sidejavascript 5 4 9SQL injection on loginXSS on searchUpload of file is not sanitizedallowing uploads of php filesAdmin pages is not protected so ifthe url is known it is possible toaccess itName of user is not sanitizedallowing XSS on the front pageFAQ SQL INJECTION allows to listtablenames; ?page=pages/faq.php&question=0 union ( selecttable_name,table_schema,table_name frominformation_schema.tables limit 1offset 29 ) (CHANGE 29) 6 0 6


TimestampList of all bugs found in DUHSql-injection possible on thefollowing pages:loginsearchmemberNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs foundSearch may be a total wildcard (bugor feature?) by inputting %XSS possible for input on memberfields (hi my name is alert("Hello") )Picture types checked, filenamesare notA CV can be anything (likeevil_database_delete.php)4/13/2011 14:59:21CSRF possible for admin page(delete, promote, demote)Authentication of admin pagedepends on redirect that doesn'tneed to be respected (or deactivatejavascript)No check that the one perfomingdelete/promote/demote isauthorised. 3 7 10


TimestampList of all bugs found in DUHBlack box:* config.inc* SQL injection on /signup.php and/search.php* signup.php: cv upload allows php* signup.php: picture field usesmimetype from browser forvalidation* signin.php: ' or '1'='1 in passwordfield lets you sign in* signup.php: username allows XSSin 10 most recent users list* member.php: change username inpost request and you can edit otherusers infoNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs found4/13/2011 14:59:57White box:* helloworld.php: open for XSS* index.php: include($page) allowsfor execution of files uploaded inuploads/, a gif can thus be executedas php.* admin.php: Disable javascript andcredentials check is not performed* request forgery on admin.php 7 4 11


Frontpage:* Providing a list of users andadmins is not recommendedSearch hackers:* SQL injection* XSS possible: http://localhost/?page=pages%2Fsearch.php&q=%22%3E%3Cscript%3Ealert%TimestampList of all bugs found in DUHlecture2No. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs foundvulns:#1 signup sql-injectable#2 login sql-injectable#3 search sql-injectable#4 All uploaded files through signupare executable#5 ?page= is due to file inclusion(local/remote?)#6 XSS bug at signup realname#7 faq sql injectable#8 /config.inc is public#9 hello.php XSS "name"#10 pages/admin.php can beaccessed if javascript is disabled.#11 pages/admin.php $_GET['action'] is injectable#12 faq $_GET['action'] is sqlinjectable#13 pages/search.php is XSSable4/13/2011 15:01:19#14 CV upload allows uploading ofrandom files 5 9 14Blackbox testing:


admins is not recommendedSearch hackers:* SQL injection* XSS possible: http://localhost/?page=pages%2Fsearch.php&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&search=Search!4/13/2011 15:21:09Login:* SQL injection* Login not required when direct urlhttp://localhost/?page=pages/member.php is used* Admin page is directly availableusing http://localhost/?page=pages/admin.php* Too informative login errorsEdit Hacker page:* Stored XSS possible* Uploading php file possible in cvupload. Directly accesible throughhttp://localhost/uploads/[filename]Admin page:* CSRF possible by getting anadmin to visit http://localhost/?page=pages/admin.php&action=promote&uid=16 thusmaking a user an adminWhitebox testing:* Database login information incleartext http://localhost/config.inc* Unused helloworld page allowsXSS* FAQ page allows SQL injection:http://localhost/?page=pages/faq.php&question=-1%20union%20select%20username,%20password,%20username%20from%20users%20where%20username=%22admin%22%20-- 10 3 13


TimestampList of all bugs found in DUHNo. of bugs foundin black-box testNo. of bugs foundin white-box testTotal bugs found

More magazines by this user
Similar magazines