Discourse Security Problems

1. Integer Overflow
2. /c/-2147483648 GET /c/-2147483648
3. /c/-2147483649 GET /c/-2147483649
4. /c/4294967295 GET /c/4294967295
5. /login/ POST /login/ [username=Joey password=vega redirect=2147483647 ]
6. /login/ POST /login/ [username=4294967295 password=vega redirect=1 ]
7.  
8. Page Fingerprint Differential Detected - Possible Local File Include
9. /google.com/search GET /google.com/search?\"q\"=/./
10. /latest GET /latest?no_definitions=/./&page=1
11. /latest GET /latest?no_definitions=true&page=/./
12. /login/ POST /login/ [username=Joey password=vega redirect=/./ ]
13. /login/ POST /login/ [username=/./ password=vega redirect=1 ]
14. /site_customizations/ GET /site_customizations/?target=desktop&v=06d23e99cfef901308bedefb5d78d9e1&__ws=/./
15. /site_customizations GET /site_customizations/?target=/./&v=06d23e99cfef901308bedefb5d78d9e1&__ws=www.[...].pl
16. /site_customizations/ GET /site_customizations/?target=desktop&v=/./&__ws=www.[...].pl
17.  
18. Page Fingerprint Differential Detected - Possible XPath Injection
19. /latest GET /latest?no_definitions=true&page=e"%20or%201%20eq%201%20or%20"a"%20=%20"a
20. <!DOCTYPE html>
21. <html lang="pl_PL" class="desktop-view not-mobile-device anon">
22. <head>
23. <meta charset="utf-8">
24. <title>[...]</title>
25. <meta name="description" content="[...]">
26. <meta name="author" content="">
27. <meta name="generator" content="Discourse 1.7.0.beta2 - https://github.com/discourse/discourse version 04...
28.  
29. Possible Social Insurance Number Detected
30. /google.com/search GET /google.com/search?\"q\"=1"%20src=-->">'>'"
31. 107374183
32. 107374183
33. /latest GET /latest?no_definitions=true&page=1"%20onMouseOver=-->">'>'"
34. 107374183
35. 107374183
36. /login/ POST /login/ [username=Joey AND 1=2 -- password=vega redirect=1 ]
37. 107374183
38. /site_customizations/ GET /site_customizations/?target=desktop&v=06d23e99cfef901308bedefb5d78d9e1&__ws=/./
39. 107374183
40. 107374183
41. /user_avatar/ GET /user_avatar/
42. 107374183
43. 107374183
44. /users/admins/ GET /users/admins/
45. 107374183
46. 107374183
47. /users/Admins/ GET /users/Admins/
48. 107374183
49. 107374183
50. /users/system GET /users/system
51. 107374183
52.  
53. Possible Social Security Number Detected
54. GET /t/o-kategorii-bazy-danych/30/2147483648
55. 107374183
56.  
57. Session Cookie Without Secure Flag
58. /login GET /login
59. _forum_session=M2JvOXE2OUM2UnlmZjdyWUVOa044czU5V2VIV1czdjVSb0xMZG9uTDVpVXFteEk3dnR6WExDYzRYNXUzWmFvdkN1RlUyRkdYV3RnSXpuQVVPODlZMkE9PS0tMU5FbTBlOVd0OWduOFdubFlzWUhVdz09--e36a81993a9d4a21c5797e15773a61cd052d4740; path=/; HttpOnly
60.  
61.  
62. Shell Injection
63. /latest GET /latest?no_definitions=true&page=1'true'
64. /login/ POST /login/ [username=Joey password=vega"`true`" redirect=1 ]
65. /login/ POST /login/ [username=Joey"`true`" password=vega redirect=1 ]
66. /site_customizations/ GET /site_customizations/?target=desktop&v=06d23e99cfef901308bedefb5d78d9e1&__ws=www.[...].pl`true`
67. /site_customizations/ GET /site_customizations/?target=desktop&v=06d23e99cfef901308bedefb5d78d9e1&__ws=www.[...].pl'true'
68.  
69. SQL Injection
70. https://www.[...].pl/google.com/search GET /google.com/search?q=1'"
71. https://www.[...].pl/google.com/search GET /google.com/search?\"q\"='%20AND%201=2%20--%20
72. https://www.[...].pl/latest GET /latest?no_definitions=true&page=1-0
73. https://www.[...].pl/latest GET /latest?no_definitions=true'"&page=1
74. https://www.[...].pl/login POST /login/ [username=Joey password=vega' AND 1=2 -- redirect=1 ]
75. <html><body>You are being <a href="https://www.[...].pl1">redirected</a>.</body></html>
76. https://www.[...].pl/login
77. <html><body>You are being <a href="https://www.[...].pl1">redirected</a>.</body></html>
78. https://www.[...].pl/login POST /login/ [username=Joey password=vega redirect=1" AND 1=2 -- ]
79. https://www.[...].pl/site_customizations GET /site_customizations/?target=desktop&v='%20AND%201=2%20--%20&__ws=www.[...].pl
80. https://www.[...].pl/site_customizations GET /site_customizations/?target=desktop'"&v=06d23e99cfef901308bedefb5d78d9e1&__ws=www.[...].pl
81. https://www.[...].pl/site_customizations GET /site_customizations/?target=desktop&v=06d23e99cfef901308bedefb5d78d9e1&__ws=1%20AND%201=2%20--%20
82. <!DOCTYPE html>
83. <html lang="pl_PL">
84. <head>
85. <meta charset="utf-8">
86. <title>[...]</title>
87. <meta name="description" content="">
88. <meta name="author" content="">
89. <meta name="generator" content="Discourse 1.7.0.beta2 - https://github.com/discourse/discourse version 04331638661e5a67a1b431b3e74ead70a9c0db23">
90. <link rel="icon" type="image/png" href="/uploads/default/original/1X...
91.  
92. Local Filesystem Paths Found
93. /latest.rss GET /latest.rss
94.  
95. Possible XML Injection
96. /google.com/search?q=vega>'>"><vega></vega> GET /google.com/search?q=vega>'>">
97. /latest?no_definitions=true&page=vega>'>"><vega></vega> GET /latest?no_definitions=true&page=vega>'>">
98. /latest?no_definitions=vega>'>"><vega></vega>&page=1 GET /latest?no_definitions=vega>'>">&page=1
99. /login/ POST /login/ [username=Joey password=vega>'>"> redirect=1 ]
100. /login/ POST /login/ [username=vega>'>"> password=vega redirect=1 ]
101.  
102. Character Set Not Specified
103. /assets/ GET /assets/
104. /assets/
105.  
106. Possible AJAX code detected
107. /assets/ember_jquery-c9524b48466ee05bcf3f9ddaf05405387eb17017e61e90e76628f989db37eb4e.js
108. \s*$/g;oe.extend({htmlPrefilter:function(e){return e.replace(Be,"<$1></$2>")},clone:function(e,t,r){var n,i,o,a,s=e.cloneNode(!0),u=oe.contains(e.ownerDocument,e);if(!(ne.noCloneChecked||1!==e.nodeTy...
109.  
110. X-Frame-Options Header Not Set
111. /assets/ GET /assets/
112. /assets/