Error in Code of Movie File

A comprehensive deliverables of given case study (Movie_booking)
Debugged Information of given php file and database

1.
2.
3.
4.
session_register() // function undefined in checklogin.php

myusername and mypassword // credentials does not pass through checklogin.php
mysql_fetch_object() // function not used in checklogin.php
There were no connectivity between select movie to the database in first.php i.e.
<option value="">--Select movie--</option>
<?php $tbl_name="movie"; // Table name ?>
<?php $result= mysql_query("SELECT * FROM $tbl_name"); ?>
<?php while($row= mysql_fetch_assoc($result)) { ?>
<option value="<?php echo $row['movie_id'];?>">
<?php echo $row['movie_name']; ?>
</option>
<?php } ?>
5. $username = $_SESSION['myusername'];// function Undefined in first page in first.php
6. <option value="">--Select City--</option> //there were undefined value. Value should
be;
7. <option value="">--Select City--</option> // Table name ?>
<?php $result= mysql_query("SELECT * FROM $tbl_name"); ?>
<?php while($row= mysql_fetch_assoc($result)) { ?>
<option value="<?php echo $row['city_id'];?>">
<?php echo $row['city_name']; ?>
</option>
8. $_SESSION variables, values of a variable that doesn't exist in schedule.php
<?php
session_start();
$city= $_POST['city'];
$movie= $_POST['movie'];
$date = $_POST['date'];
$city = stripslashes($city);
$movie = stripslashes($movie);
$date = stripslashes($date);
//session_register("city");
//session_register("movie");
//session_register("date");
?>
9. $username = $_SESSION['myusername']; // function undefined in schedule.php
10. $username = $_SESSION['myusername']; // function not define in book.php
Vulnerability has been identified in given application: Vega Tool used

After debugging the source code of given file and database, performed the said tool and find the
vulnerability as below;
http://localhost/Movie/main.php
Medium Risk: Two has been Identified

1.Http trace support detected
Classification
Configuration Error
Resource
Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method
TRACE
Risk
Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive
User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing.
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP
TRACE..
Code Disclosure
2. Possible source code disclosure
Classification
Information
Resource
/Movie/main.php
Risk
Medium
REQUEST
GET /Movie/main.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
//session_destroy();
?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code.
Application source code unintentedly visible to remote clients can be a security vulnerability.
This can occur in applications using technologies such as PHP and JSP, which allow for code to
be mixed with static presentation content. For example, in-line code is sometimes commented
using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the
use of third-party components. Sometimes sensitive information, such as a database connection
string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.
Source code fragments can include information about the design/structure of the
application, including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source
code.
Low Risk: One identified
1. Directory Listing Detected
Classification
Configuration Error
Resource
/Movie/
Risk
Low
REQUEST
GET /Movie/
RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a

href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION
Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.
IMPACT
The server is outputting the contents of directories.
This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.
http://localhost/Movie/first.php
Medium Risk: 3 Identified

1. Http trace support detected
Classification
Configuration Error
Resource
Method
TRACE
Risk
Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
Host: localhost
DISCUSSION
IMPACT
REMEDIATION
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry
2. Local Filesystem Paths Found

Classification
Information
Resource
/Movie/first.php
Risk
Medium
REQUEST
GET /Movie/first.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\first.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web
root). This information is sensitive, as it may reveal things about the server environment to an
attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full
system paths are very often found in error output. This output should never be sent to clients on
production systems. It should be redirected to another output channel (such as an error log) for
analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content.
Disclosure of these paths reveals information about the filesystem layout.
This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output.
Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration.
Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers.
This output should be sent to another output stream, such as an error log.
3. Possible Source Code DisclosureClassification
Information
Resource
/Movie/first.php
Risk
Medium
REQUEST
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
if(!$_SESSION['myusername']){
header("location:main.php");
}
?>
DISCUSSION
IMPACT
REMEDIATION
code.
The cause should be determined, and the material removed or prevented from being
output.
Low Risk: 1 indentified
1. Directory Listing DetectedClassification
Configuration Error
Resource
/Movie/
Risk
Low
REQUEST
GET /Movie/
RESOURCE CONTENT
<html>
<head>
</head>
<body>
<table>
<tr><t...
DISCUSSION
or other attacks.
IMPACT
code).
administrators.
guessing.
REMEDIATION
Info: Possible AJAX code detected
Classification
Information
Resource
/Movie/first.php
Risk
Info
REQUEST
RESOURCE CONTENT
function showmovie(str)
{
if (str=="")
{
document.getElementById("movie").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
...
DISCUSSION
AJAX (Asynchronous Javascript and XML) refers to a collection of technologies used to make
the user experience of web applications more interactive. AJAX functionality often involves the
asynchronous sending of requests and processing of their responses using Javascript, without
requiring page reloads. The endpoints on the server side often accept parameters, making them
injection points where vulnerabilities could exist.
IMPACT
Vega has detected content the use of AJAX, indicating the existence of possible injection
points where vulnerabilities may exist.
The AJAX backend API should be manually inspected for vulnerabilities.
REMEDIATION
This is not a vulnerability. This alert is only to flag that code associated with use of
AJAX has been detected in scanned content. Backend AJAX interfaces can expose
possible vulnerabilities and manual inspection should be included in any comprehensive
security assessment.
http://localhost /Movie/schedule.php
High Risk- 2 found

1. Session Cookie Without HttpOnly Flag
Classification
Information
Resource
/Movie/schedule.php
Risk
High
REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION
Vega has detected that a session cookie may have been set without the HttpOnly flag. When this
flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly
flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target
session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature,
attacker-supplied script code will not be able to access the cookie.
REMEDIATION
When creating the cookie in the code, set the HttpOnly flag to true.
2. Session Cookie Without Secure Flag
Classification
Information
Resource
/Movie/schedule.php
Risk
High
REQUEST
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION
Vega has detected that a known session cookie may have been set without the secure flag.
IMPACT
Cookies can be exposed to network eavesdroppers.
Session cookies are authentication credentials; attackers who obtain them can get
unauthorized access to affected web applications.
REMEDIATION
When creating the cookie in the code, set the secure flag to true.
Medium Risk: 2 Identified
1. HTTP Trace Support Detected-
Classification
Configuration Error
Resource
Method
TRACE
Risk
Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
Host: localhost
DISCUSSION
IMPACT
REMEDIATION
HTTP TRACE.
TRACE
2. Local File System Paths FoundClassification
Information
Resource
/Movie/schedule.php
Risk
Medium
REQUEST
RESOURCE CONTENT
C:\xampp\htdocs\Movie\schedule.php
DISCUSSION
IMPACT
other attacks.
REMEDIATION
Low Risk: 1 Found

Directory Listing DetectedClassification
Configuration Error
Resource
/Movie/
Risk
Low
REQUEST
GET /Movie/
RESOURCE CONTENT
<html>
<head>
</head>
<body>
<table>
<tr><t...
DISCUSSION
or other attacks.
IMPACT

code).
administrators.
guessing.
REMEDIATION
http://localhost /Movie/book.php
Medium Risk: 3 Found

1. HTTP Trace Support Detected
Classification
Configuration Error
Resource
Method
TRACE
Risk
Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
Host: localhost
DISCUSSION
IMPACT
REMEDIATION
HTTP TRACE.
TRACE..
2. Local Filesystem Paths Found
Classification
Information
Resource
/Movie/book.php
Risk
Medium
REQUEST
GET /Movie/book.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\book.php
DISCUSSION
IMPACT
other attacks.
REMEDIATION
3. Possible Source Code Disclosure
Classification
Information
Resource
/Movie/book.php
Risk
Medium
REQUEST
GET /Movie/book.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
?>
DISCUSSION
IMPACT
REMEDIATION
code.
output.
Low Risk: 1 Found
Classification
Configuration Error
Resource
/Movie/
Risk
Low
REQUEST
GET /Movie/
RESOURCE CONTENT
<html>
<head>
</head>
<body>
<table>
<tr><t...
DISCUSSION
or other attacks.
IMPACT
code).
administrators.
guessing.
REMEDIATION
http://localhost /Movie/booked.php
Medium Risk: 2 Found

1. HTTP Trace Support DetectedClassification
Configuration Error
Resource
Method
TRACE
Risk
Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
Host: localhost
DISCUSSION
IMPACT

REMEDIATION
HTTP TRACE.
TRACE..
2. Possible Source Code DisclosureClassification
Information
Resource
/Movie/booked.php
Risk
Medium
REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
?>
DISCUSSION
IMPACT
REMEDIATION
code.
output.
Low Risk: 1 found
Classification
Configuration Error
Resource
/Movie/
Risk
Low
REQUEST
GET /Movie/
RESOURCE CONTENT
<html>
<head>
</head>
<body>
<table>
<tr><t...
DISCUSSION
or other attacks.
IMPACT
code).
administrators.
guessing.
REMEDIATION
Info:1 found
1. Character Set Not Specified
Classification
Information
Resource
/Movie/booked.php
Risk
Info
REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
/Movie/booked.php
DISCUSSION
Vega has detected that the resource has not specified a character set in the response. If the
character set is not specified, the browser may make assumptions about the character set based
on resource content. This may present a security concern if the affected resource contains
dynamically-generated content that originates from users. In such a case, malicious users may
potentially take advantage of how specific browsers interpret characters to cause malicious
content to be rendered. For example, an attacker may be able to bypass a cross-site scripting
filter by encoding their malicious payload in an alternate character set, which may be executed
depending on how the browser interprets the encoded content.
REMEDIATION
Specify a well-defined character set (such as UTF-8) within the response header contenttype or the response body.
Log details of tool used and observation
11:32:03 PM [INFO] (scanner) Starting crawling phase

Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-source) [/Movie/main.php]
Publishing Alert: (vinfo-source) [/Movie/main.php]
11:32:11 PM [INFO] (scanner) Crawler finished
11:32:11 PM [INFO] (scanner) Scanner completed
11:32:11 PM [INFO] (scanner) Scanning module runtime statistics:
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
Path Disclosure
HTTP Authentication Over Unencrypted HTTP
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.636 ms [worst: 6 ms @(/Movie/)
] for Error Page Detection
] for Insecure Cross-Domain Policy
File Upload Detection
WSDL Detector
] for RSS/Atom/OPL Feed Detector
HTTP Header Checks
11:32:11 PM [INFO] (scanner) Invocations: 11 Average:
0.818 ms [worst:
2 ms
@(/Movie/main.php) ] for Insecure Script Include
0.091 ms [worst:
1 ms
@(/Movie/main.php) ] for Internal IP Addressess

Cookie Security Module
1.545 ms [worst:
4 ms
@(/Movie/main.php) ] for Cleartext Password Over HTTP
4.182 ms [worst:
35 ms
@(/Movie/main.php) ] for Source Code Disclosure Module
Character Set Not Specified
Empty Reponse Body Module
] for Unsafe Or Unrecognized Character Set
] for Interesting Meta Tag Detection
Oracle Application Server Fingerprint Module
] for Form autocomplete
AJAX Detector
Version Control String Detection
] for Directory Listing Detection
Cookie Scope Detection
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 1.000 ms [worst: 5 ms @(STATE:
[GET /]) ] for Eval Code Injection
[GET /]) ] for XML Injection checks
[GET /]) ] for HTTP Header Injection checks
[GET /]) ] for Remote File Include Checks
[GET /Movie/main.php]) ] for Shell Injection Checks
[GET /Movie/main.php]) ] for HTTP Trace Probes
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
[GET /]) ] for URL Injection checks
[GET /]) ] for Cross Domain Policy Auditor
[GET /]) ] for Local File Include Checks

[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks
[GET /]) ] for Blind SQL Text Injection Differential Checks
[GET /]) ] for XSS Injection checks
Publishing Alert: (vinfo-paths) [/Movie/first.php]
Publishing Alert: (vinfo-source) [/Movie/first.php]
Publishing Alert: (vinfo-ajax) [/Movie/first.php]
7.091 ms [worst:
53 ms
@(/Movie/first.php) ] for Path Disclosure
WSDL Detector
RSS/Atom/OPL Feed Detector
HTTP Header Checks
Insecure Script Include
0.091 ms [worst:
1 ms
@(/Movie/first.php) ] for Internal IP Addressess

0.909 ms [worst:
2 ms
@(/Movie/first.php) ] for Cleartext Password Over HTTP
1.909 ms [worst:
9 ms
@(/Movie/first.php) ] for Source Code Disclosure Module
Unsafe Or Unrecognized Character Set
5.364 ms [worst:
13 ms
@(/Movie/first.php) ] for Interesting Meta Tag Detection
Form autocomplete
1.909 ms [worst:
11 ms
@(/Movie/first.php) ] for AJAX Detector
[GET /Movie/first.php]) ] for HTTP Header Injection checks
[GET /]) ] for Shell Injection Checks
[GET /Movie/first.php]) ] for HTTP Trace Probes

Publishing Alert: (vinfo-paths) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php]
4.000 ms [worst:
24 ms
@(/Movie/schedule.php) ] for Path Disclosure
0.091 ms [worst:
1 ms
@(/Movie/schedule.php) ] for WSDL Detector
HTTP Header Checks
Internal IP Addressess

5.909 ms [worst:
41 ms
@(/Movie/schedule.php) ] for Cookie Security Module
0.909 ms [worst:
2 ms
@(/Movie/schedule.php) ] for Cleartext Password Over HTTP
Source Code Disclosure Module
] for Character Set Not Specified
4.091 ms [worst:
9 ms
@(/Movie/schedule.php) ] for Interesting Meta Tag Detection
Form autocomplete
AJAX Detector
0.091 ms [worst:
1 ms
@(/Movie/schedule.php) ] for Cookie Scope Detection
[GET /Movie/schedule.php]) ] for Eval Code Injection
[GET /Movie/]) ] for XML Injection checks
[GET /]) ] for HTTP Trace Probes

Publishing Alert: (vinfo-paths) [/Movie/book.php]
Publishing Alert: (vinfo-source) [/Movie/book.php]
4.182 ms [worst:
26 ms
@(/Movie/book.php) ] for Path Disclosure
0.091 ms [worst:
1 ms
@(/Movie/book.php) ] for HTTP Authentication Over Unencrypted HTTP
1.000 ms [worst:
3 ms
@(/Movie/book.php) ] for File Upload Detection
WSDL Detector
HTTP Header Checks
1.000 ms [worst:
2 ms
@(/Movie/book.php) ] for Cleartext Password Over HTTP

2.091 ms [worst:
10 ms
@(/Movie/book.php) ] for Source Code Disclosure Module
4.727 ms [worst:
11 ms
@(/Movie/book.php) ] for Interesting Meta Tag Detection
Form autocomplete
0.091 ms [worst:
1 ms
@(/Movie/book.php) ] for AJAX Detector
[GET /Movie/book.php]) ] for Eval Code Injection
[GET /Movie/]) ] for XML Injection checks

[GET /Movie/book.php]) ] for Blind SQL Text Injection Differential Checks
Publishing Alert: (vinfo-source) [/Movie/booked.php]
Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php]
Path Disclosure
0.091 ms [worst:
1 ms
@(/Movie/booked.php) ] for WSDL Detector
HTTP Header Checks
Cleartext Password Over HTTP
3.909 ms [worst:
24 ms
@(/Movie/booked.php) ] for Source Code Disclosure Module
2.182 ms [worst:
16 ms
@(/Movie/booked.php) ] for Character Set Not Specified

] for Unsafe Or Unrecognized Character Set
4.182 ms [worst:
10 ms
@(/Movie/booked.php) ] for Interesting Meta Tag Detection
Form autocomplete
] for AJAX Detector
0.091 ms [worst:
1 ms
@(/Movie/booked.php) ] for Version Control String Detection
[GET /Movie/booked.php]) ] for HTTP Header Injection checks
[GET /Movie/]) ] for Local File Include Checks
[GET /Movie/booked.php]) ] for Blind SQL Text Injection Differential Checks

Error in Code of Movie File

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Error in Code of Movie File

Caricato da

Copyright:

Formati disponibili

A comprehensive deliverables of given case study (Movie_booking)

Debugged Information of given php file and database

session_register() // function undefined in checklogin.php

Vulnerability has been identified in given application: Vega Tool used

Medium Risk: Two has been Identified

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a

Medium Risk: 3 Identified

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

For IIS based servers, the EnableTraceMethod registry

2. Local Filesystem Paths Found

3. Possible Source Code DisclosureClassification

High Risk- 2 found

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Low Risk: 1 Found

The server is outputting the contents of directories.

Medium Risk: 3 Found

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Medium Risk: 2 Found

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Allowing HTTP TRACE can permit cross-site tracing.

Log details of tool used and observation

11:32:03 PM [INFO] (scanner) Starting crawling phase

11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for

11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:

11:33:09 PM [INFO] (scanner) Invocations: 11 Average:

11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE:

11:36:27 PM [INFO] (scanner) Invocations: 11 Average:

11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:

11:37:16 PM [INFO] (scanner) Invocations: 11 Average:

11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:

11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for

Potrebbero piacerti anche