Request … Ahhhhh Behack

Guys, first i know this topic is not in topic any bit… BUT… I know some people here have great knowledge about website and website security, and I’m a total newbie on that domain.

I’m building a Website. And currently i’m working on programming the PHP script for this site and that is why my mod is hold for long time…

The php script is a CMS system, i named it “ModdingGear”. This is a talk group, so nothing is surprise on that. Problem is i’m is a security newbie and i’m not sure i completely solved all security bugs.

So if you guy wanting a chance for hack training about website, Here is the chance.

The Website you can enter HERE

And the Testing Group is HERE

You need signup with real email for activation. Free feel because i don’t like to peer for any individual privacy, and ALL data will be flushed when the CMS updated or released.

PS. Don’t care about the Buggy BBCode Decode.

Thank you Bas. But …actually, the navigation functions or other links(except some links will link to outside of the website) is generated by program, So yes indeed, that’s a variable. If you move this website to domain for exp. the-starport.net, the adress will auto change to the-starport.net/blablabla. It’s works very good even in the subdir.

I assigned a variable in initializer and smarty engine, it’s named {WebRoot}, so i can still dynamically get the current root. Then i just need call {WebRoot}/style/CSS.css.

@Bas, Done! For the small performance boost , cheers!

@HeIIoween, I’m trying this, but i don’t know if it will give me a approving result. Because i use a unwonted way for URL parameters.

For exp. The standard way is /blablabla.php?topic_id=3268. And i use /blablabla/reply/3268/. I don’t know if it supported for this URL. But Thanks, This may useful with my other website.

I got the report:

• Server: LiteSpeed + robots.txt contains 1 entry which should be manually viewed. + Retrieved X-Powered-By header: PHP/5.2.11 + ETag header found on server, inode: 26, size: 1279095637, mtime: 0x0 + /webmail/: Web based mail package installed. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-12184: /some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-3093: /pm/lib.inc.php: This might be interesting… has been seen in web logs from an unknown scanner. + OSVDB-3093: /squirrelmail/src/read_body.php: This might be interesting… has been seen in web logs from an unknown scanner. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /my/: This might be interesting… potential country code (Malaysia) + OSVDB-3092: /pm/: This might be interesting… potential country code (Saint Pierre And Miquelon) + OSVDB-: /wp-app.log: Wordpress’ wp-app.log may leak application/system details. + 2886 items checked: 14 item(s) reported on remote host + End Time: 2010-08-03 0:46:00 (443 seconds)

That’s interesting, Click here:
http://the-starport.net/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000