correct and add features to asp script - repost

CLOSED
Bids
8
Avg Bid (USD)
$194
Project Budget (USD)
$30 - $250

Project Description:
Make existing asp script compatible for chrome and friefox, remove some security bugs, add some extra features.

script is smilar with these http://www.markvoss.net/ can be downloaded from here
http://www.aspindir.com/indir.asp?id=5567&sIslem=%DDndir
i want to add navigation end of page,
example here : http://www.markvoss.net/scripts/article-navbar.asp
make compatible script for chrome and firefox and add some extra features
and remove some security bugs on search and login forms ,
from these files ;
http://www.markvoss.net/Search/default.asp
i have one other script to remove this security bugs too,
here;
http://www.ultraapps.com/app_overview.php?app_id=20

Additional Project Description:
03/21/2013 at 1:43 CST
bug 1:
Vulnerability Text:
CGI Generic SQL Injection (2nd pass)

Nessus Output:
Port: 80/tcp During testing for arbitrary command execution (time based; intrusive) vulnerabilities; SQL errors were noticed; suggesting that the scripts / parameters listed below may also be vulnerable to SQL Injection (SQLi). -------- request -------- POST /Search/default1.asp HTTP/1.1 Host: 141.29.2.20 Accept-Charset: iso-8859-1;utf-8;q=0.9;*;q=0.1 Accept-Language: en Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Content-Length: 185 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif; image/x-xbitmap; image/jpeg; image/pjpeg; image/png; */* search=Search&date=20130211112146&category=13&keywords=%7C%7C%20ping%20-c%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-i%203%20127.0.0.1%20;%20x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26 ------------------------ -------- output -------- <!--begin content--> <h1>Search</h1><p>Search the blog by enteri [...] <p>Microsoft JET Database Engine</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Syntax error (missing operator) in query [...] ------------------------ During testing for arbitrary command execution (time based) vulnerabilities; SQL errors were noticed; suggesting that the scripts / parameters listed below may also be vulnerable to SQL Injection (SQLi). -------- request -------- POST /Search/default1.asp HTTP/1.1 Host: 141.29.2.20 Accept-Charset: iso-8859-1;utf-8;q=0.9;*;q=0.1 Accept-Language: en Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Content-Length: 92 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif; image/x-xbitmap; image/jpeg; image/pjpeg; image/png; */* search=Search&date=20130211112146&category=13&keywords=%26%20ping%20-n%203%20127.0.0.1%20%26 ------------------------ -------- output -------- <!--begin content--> <h1>Search</h1><p>Search blog by enteri [...] <p>Microsoft JET Database Engine</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Syntax error (missing operator) in query [...] ------------------------

Suggested Resolution:
Modify the relevant CGIs so that they properly escape arguments.

bug 2 :
OS: MS / Windows Server 2003 R2 Service Pack 2
Vulnerability ID: 1CN55903
Vulnerability Text:
CGI Generic Cross-Site Scripting (extended patterns)

Nessus Output:
Port: 80/tcp Using the GET HTTP method; Nessus found that : + The following resources may be vulnerable to cross-site scripting (extended patterns) : + The 'QueryString' parameter of the /hata-takip/Login.asp CGI : /hata-takip/Login.asp?QueryString=509"%20src="http://www.example.com/exp loit509.js -------- output -------- </td> <td class="DataTD"> <input type="hidden" name="ret_page" value=""><input type="hidden" name= "querystring" value="509" src="http://www.example.com/exploit509.js"> <input type="hidden" name="FormName" value="Login"> <input type="text" name="Login" value="" maxlength="50"> ------------------------

Suggested Resolution:
Restrict access to the vulnerable application. Contact the vendorfor a patch or upgrade.

Skills required:
ASP, HTML, Website Design
About the employer:
Verified
Public Clarification Board
Bids are hidden by the project creator. Log in as the employer to view bids or to bid on this project.
You will not be able to bid on this project if you are not qualified in one of the job categories. To see your qualifications click here.


$ 225
in 6 days
Hire Vikaskukki
$ 210
in 5 days
$ 199
in 7 days
Hire tCognition
$ 250
in 3 days
Hire rajeshmyle
$ 140
in 3 days
Hire shakeel1
$ 200
in 9 days
Hire arpitadwivedi
$ 150
in 10 days
$ 180
in 3 days