PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Aug 20, 2018 2:14 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Thu May 03, 2012 12:50 pm 
Offline
Forum Newbie

Joined: Thu May 03, 2012 12:45 pm
Posts: 4
Hi all. I think I need some serious help. I went on one of those freelance sites and got someone to build a site for me. I spent hundreds of dollars for the site. After I got it, I decided to use w3af to scan my site to see if it was vulnerable to anythings. Lo and behold it was vulnerable to XSS, XSRF, REDOS. I identified three (3) PHP files which had these issues. What can I do to remove these vulnerabilities? If so, can someone please show me how? I have included the code in one of these files in hopes that it can be fixed. Thanks.

Syntax: [ Download ] [ Hide ]
<?php include "include/top_header.php"; ?>

<div class="middlePartArea">
                        <div class="middleLeftPart">
                     
                     <?php /*?> <?php include "include/banner.php"; ?><?php */?>
                        <div class="middleNavigationPart">
                        <?php
                                                if(isset($com_msg) && $com_msg == 'Thanks! for registration'){
                                                ?>
                        <div style="color:#5d9b0d; font:bold 13px/22px Arial, Helvetica, sans-serif;">
                                                        <?php echo isset($com_msg) ? $com_msg : '';?> </div>
                        <?php /*?><?php if(isset($_REQUEST['applysubmit']) && $_REQUEST['applysubmit'] == 'submit'){?> <?php */?>
                         <?php }else{?>
                                <div style="color:#FF0000; font:bold 13px/22px Arial, Helvetica, sans-serif;">
                                                        <?php echo isset($com_msg) ? $com_msg : '';?> </div>  
                            <?php }?>  
                                                        <form action="comregins.php" method="post" enctype="multipart/form-data" onSubmit="return com_valid();">
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Company Name:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_name" id="com_name" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt">Image:</div>
                                <div class="secformAreaFeild"><input name="com_image" type="file" id="image" size="33">
                               </div>
                             </div>
                           
                              <div class="secformArea">
                                <div class="secformAreaTxt">Website Address:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_website" id="com_website" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                              <div class="secformArea">
                                <div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Category:</div>
                               <?php
                                                            $cat_sql = 'select * from baby_categories';
                                                                $cat_query = mysql_query($cat_sql);
                                                                ?>
                                <div class="secformAreaFeild">
                                <select name="com_cat" id="com_cat" class="secformAreaTxtlistvalue">
                                <option value="">Select Caretype</option>
                                 <?php while($cat_rows = mysql_fetch_array($cat_query)){?>
                                <option value="<?php echo $cat_rows['cat_id'];?>"><?php echo $cat_rows['cat_name'];?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt">Sub Category:</div>
                                <div class="secformAreaFeild" id="com_subCatList">
                               
                                </div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Type:</div>
                                <div class="secformAreaFeild">
                                                        <select name="com_ratetype" id="com_ratetype" class="secformAreaTxtlistvalue">
                                                        <option value="">Select Type</option>
                                            <option value="hours">Hours</option>
                                            <option value="daily">Daily</option>
                                            <option value="weekly">Weekly</option>
                                            <option value="monthly">Monthly</option>
                                            <option value="yearly">Yearly</option>
                                            </select>
                               </div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Amount:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_rateamount" id="com_rateamount" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt">Year of Experience:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_exp" id="com_exp" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             <div class="secformAreaTxt">Establish Date:</div>
                                <div class="secformAreaFeild">
                                <select name="dob_year" id="dob_year" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Year</option>
                                <?php
                                for($i=2014;$i>=1950;$i--){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                <select name="dob_month" id="dob_month" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Month</option>
                                <?php
                                $month = array('January','February','March','April','May','June','July','August','September','October','November','December');
                                $i = 1;
                                foreach($month as $val){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $val;?></option>
                                <?php
                                $i++;
                                }?>
                                </select>
                                <select name="dob_date" id="dob_date" class="liDateValue list3">
                                <option value="">Date</option>
                                <?php
                                for($i=1;$i<=31;$i++){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                                <div class="secformAreaTxt"><span style="color:#FF0000;">*</span>About Company:</div>
                                <div class="secformAreaFeild"><textarea name="com_aboutyourself" id="com_aboutyourself" class="secformAreaTxtAreavalue"></textarea></div>
                             </div>
                             
                             
                             <input type="hidden" name="com_uname" value="<?php echo $_REQUEST['com_uname'];?>">
                             <input type="hidden" name="com_pwd" value="<?php echo $_REQUEST['com_pwd'];?>">
                             <input type="hidden" name="com_email" value="<?php echo $_REQUEST['com_email'];?>">
                                         <input type="hidden" name="com_contact" value="<?php echo $_REQUEST['com_contact'];?>">
                                                         <input type="hidden" name="com_street" value="<?php echo $_REQUEST['com_street'];?>">
                             <input type="hidden" name="com_parish_name" value="<?php echo $_REQUEST['com_parish_name'];?>">
                                                                               
                             <div class="sbtninform">
                               <input type="submit" name="comregsubmit" value="Submit" class="sbtninformValue" >
                             </div>
                             </form>    
                                                        <?php /*?><?php }else{
                                                        echo 'Premilinary Registration is Required!';
                                                        }?><?php */
?>
                        </div>
                    </div>
                    <?php include "include/google_panel.php"; ?>
                </div>
            </div>
        </div>
                <div class="bottomInnerPartBg"></div>
        </div>
   
   <div id="fundotransparente3"></div>
<div id="website3" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
     <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
            <div><?php echo $family_row['family_email'];?></div>
            <div><input name="fam_contact" id="fam_contact" type="text" value="<?php echo $family_row['family_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Contact No'" onfocus="if(this.value=='password') this.value=''"/></div>
            <div><input name="fam_fname" id="fam_fname" type="text" value="<?php echo $family_row['family_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="fam_lname" id="fam_lname" type="text" value="<?php echo $family_row['family_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><input name="fam_streetname" id="fam_streetname" type="text" value="<?php echo $family_row['family_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="fam_parish" id="fam_parish" type="text" value="<?php echo $family_row['family_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <div><input name="fam_number" id="fam_number" type="text" value="<?php echo $family_row['family_number'];?>" class="login-input"  onblur="if(this.value=='') this.value='Children Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <input type="hidden" name="familyid" id="familyid" value="<?php echo $family_row['family_id'];?>">
            <div><input name="editfamilysubmit" type="submit" value="Submit" class="login-button" />
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 <div id="website4" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
    <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
           
            <div><input name="Sit_fname" id="Sit_fname" type="text" value="<?php echo $sitter_row['sitter_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="sit_lname" id="sit_lname" type="text" value="<?php echo $sitter_row['sitter_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><?php echo $sitter_row['sitter_email'];?></div>
            <div><input name="sit_street" id="sit_street" type="text" value="<?php echo $sitter_row['sitter_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="sit_city" id="sit_city" type="text" value="<?php echo $sitter_row['sitter_city'];?>" class="login-input"  onblur="if(this.value=='') this.value='City'" onfocus="if(this.value=='City') this.value=''"/></div>
            <div><input name="sit_phno" id="sit_phno" type="text" value="<?php echo $sitter_row['sitter_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Phone Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <div><input name="sit_exp" id="sit_exp" type="text" value="<?php echo $sitter_row['sitter_exp'];?>" class="login-input"  onblur="if(this.value=='') this.value='Experience'" onfocus="if(this.value=='Experience') this.value=''"  /></div>
            <div><input name="sit_certf" id="sit_certf" type="text" value="<?php echo $sitter_row['sitter_certification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Certification'" onfocus="if(this.value=='Certification') this.value=''"  /></div>
            <div><input name="sit_qualf" id="sit_qualf" type="text" value="<?php echo $sitter_row['sitter_qualification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Qualification'" onfocus="if(this.value=='Qualification') this.value=''"  /></div>
            <div><input name="sit_lang" id="sit_lang" type="text" value="<?php echo $sitter_row['sitter_language'];?>" class="login-input"  onblur="if(this.value=='') this.value='Language Known'" onfocus="if(this.value=='Language Known') this.value=''"  /></div>
            <div><input name="sit_rate" id="sit_rate" type="text" value="<?php echo $sitter_row['sitter_rate'];?>" class="login-input"  onblur="if(this.value=='') this.value='Rate'" onfocus="if(this.value=='Rate') this.value=''"  /></div>
            <div><select name="sit_cat" id="sit_cat">
                <option value="">select category</option>
                <?php while($cat_rows=mysql_fetch_array($cat_query)){ ?>
        <option value="<?php echo $cat_rows['cat_id']; ?>" <?php if($cat_rows['cat_id']==$sitter_row['cat_id']){ echo "selected"; }else{} ?>><?php echo $cat_rows['cat_name']; ?></option>
        <?php } ?>
                </select></div>
            <div><input name="sit_parish" id="sit_parish" type="text" value="<?php echo $sitter_row['sitter_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <input type="hidden" name="sitterid" id="sitterid" value="<?php echo $sitter_row['sitter_id'];?>">
            <div><input name="editsittersubmit" type="submit" value="Submit" class="login-button" />
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 
<script type="text/javascript">
$(document).ready(function(){
        $('#com_cat').change(function(){
                var catID = $(this).val();
                var dataString = 'cate_id='+catID;
                //alert(dataString);
                $.ajax({
                        type : 'GET',
                        url  : 'comreg_ajax.php',
                        dataType : 'html',
                        data : dataString,
                        success : function(data){
                                $('#com_subCatList').html(data);
                        }
                });
        });
});
</script>  
   
<?php include "include/footer.php"; ?>
 


Top
 Profile  
 
PostPosted: Thu May 03, 2012 1:42 pm 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
Well one thing is for sure, you certainly got what you paid for.

_________________
Image


Top
 Profile  
 
PostPosted: Thu May 03, 2012 2:27 pm 
Offline
Forum Newbie

Joined: Thu May 03, 2012 12:45 pm
Posts: 4
Trust me. I expected that with the amount of money spent it would have at least been more secure. The site looks good but it is just totally unsecure.


Top
 Profile  
 
PostPosted: Thu May 03, 2012 3:24 pm 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6445
Location: 53.01N x 112.48W
That was his point. Spending <i>only</i> hundreds of dollars on a site doesn't get you much. It sounds (and is) like a lot of money, but for a good quality (both design, functionality, and security) site you need to spend thousands.

Back to your original question - we have no idea what those vulnerabilities are, or where they're located. Doing a full security audit & repair is something you should hire a company for.

Long story short - you're probably going to need to spend more money to get a secure site.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
PostPosted: Thu May 03, 2012 4:06 pm 
Offline
Forum Regular

Joined: Wed Jan 13, 2010 8:22 pm
Posts: 757
well... you can contact Mordred one of the security gurus around here... and see if you can workout something with him

you can PM him or visit his website http://www.logris.org/security/


Top
 Profile  
 
PostPosted: Thu May 03, 2012 4:12 pm 
Offline
Forum Newbie

Joined: Thu May 03, 2012 12:45 pm
Posts: 4
Thanks Pickle and Mikosiko


Top
 Profile  
 
PostPosted: Fri May 04, 2012 2:39 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
From the snippet shown here I can only extrapolate how bad things are elsewhere (as Benjamin said, you certainly got what you paid for): The code doesn't do much, so I can't comment on the database access for example, but it has multiple XSS with zero effort to protect against it so I guess it's that bad elsewhere as well.

What you should have done is demand a "guarantee" for the code security (every freelancer will happily announce he writes fast and secure code, let them live up to it) and then hire a security consultant and delay payment until all security problems are cleared. What would you say are your minimum security goals for the site?


Top
 Profile  
 
PostPosted: Fri May 04, 2012 9:30 am 
Offline
Forum Contributor

Joined: Tue Apr 17, 2012 12:57 pm
Posts: 160
Also, next time when you hire a freelancer make sure you interiew him/her. If he/she has used OOP methodologies/framework before, if he/she is aware of form-validations, SQL injections, XSS vurnerability, magic quotes etc. and how would he/she would develop/debug the code to make sure proper security measures are taken, if they have done any unit testing, and have any test cases properly documented for you to verify. And I agree with Mordred, do not pay them until their work is satisfactory to your standards (remember you are the boss here).


Top
 Profile  
 
PostPosted: Fri May 04, 2012 4:10 pm 
Offline
Forum Newbie

Joined: Thu May 03, 2012 12:45 pm
Posts: 4
Yea, I certainly leanrt from this mistake. I foolishly paid the guy already :oops: and he claims he does not know how to make it anymore secure and was even looking to me for advise on how to make it secure :crazy:

I certainly got what I paid for. Hopefully, I can get these issues sorted out before I take it live.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group