Welcome to Laser Pointer Forums - discuss green laser pointers, blue laser pointers, and all types of lasers



Laser Pointer Store

A junkbox for DIYers

Joined
Oct 21, 2009
Messages
219
Likes
6
Points
0
There's some interesting stuff on there. You might cause me to spend even more money!
 

Joined
Aug 5, 2011
Messages
186
Likes
5
Points
0
just a heads up:

your site has a few security issues:

photos directory is not secured, file listing can be seen, there i see :

adminEdit.php

wich tells me :

Warning: include_once(admin/config.php)

wich tells me there is an admin directory

wich brings me to:

http://www.junkbox.org/admin/categories.php

wich gives me soem info i should not have:

dbconnection is in /inc_dbcon.php?
include_path='.:/usr/lib/php:/usr/local/lib/php
mysql user: 'teravolt'

wich brings me to:

Name Tab Order Description

Passives 10 This category is for things like wire, capacitors, resistors, transformers and inductors Edit | Delete
Silicon 20 This category is for things such as diodes, transistors, mosfets, igbts and ics Edit | Delete
Digital 30 This category is for digital electronics, including sensors, micro-controllers, robotics and other related stuff. Edit | Delete
Radio 40 Everything radio related ought to be put here, including vacuum tubes and radio-control stuff Edit | Delete
Audio 45 Amplifiers, speakers... anything audio related goes here Edit | Delete
Light 50 Led, laser, x-ray, optics and other radiation will find a nice home in this category Edit | Delete
Junk 60 Old circuit boards, computer parts, hardware and boxes of assorted junk are welcome in this category. Edit | Delete
Tools 100 Oscilloscopes, multimeters, soldering irons, dremels: anything tool related should go in this category. Edit | Delete
Misc 190 Heatsinks, bussbars, motors: whatever doesn't fit anywhere else can go here Edit | Delete
Barter / Wanted 200 Here you may trade, barter or advertise your service. Edit | Delete

I will leave it at this, im sure if i go poking around in there, i'll find more..

also, VERY IMPORTANT:

$_GET['q'] is not properly sanitized!!!


Thx

Sam ;)
 

grenadier

New member
Joined
Nov 22, 2010
Messages
238
Likes
28
Points
0
Adminedit should have not been there, and has been deleted.
Categories.php has also been deleted.

Basically it's just me forgetting to delete old files. That's fixed.

All inputs are sanitized, including Q. Although it looks like this mysql query made it through, by checking the source code you'll find that special chars have been turned into their HTML safe counterparts

The junkbox with an SQL attack

filter_input(INPUT_GET, 'q' , FILTER_SANITIZE_STRING)
 
Last edited:




Top