SSI attack on my site?

I posted in the shout box but screw it I will just make a post. I have Revamped my Nu Aira Hackers website. Though I am afraid it might be Vulnerable to SSI. I tried a few things myself but I was wondering if some one with more knowledge would test it out for me.

www.nuaira.isgreat.org

Site is still in beta so not all the features work.

No I did not, my host must have. Will change ASAP.

Btw what exactly did you find? And how did you find it.

EDIT : Just took the forums down. I plan on using new / different software next time.

upload_files.php. Not good.

korg wrote: upload_files.php. Not good.

Your too late i've already found that. :P , but have you actually uploaded anything successfully? I get invalid file with .jpeg .gif .html .php files, tried php shell in jpg too. He probably hasn't enabled it etc. Just be sure when you do you restrict its access.

I restricted access to a few image formats already. Though after I was done testing I set the size limit to 20 ( I think thats in KB ). So thats why you get errors. I am going to use it once my member system in in place. That why users can up load avatars.

Just be sure to restrict it to members only, i assume that will come with your member system.

Yes of course, so every one here will have a new playground to fuck with for awhile. Once I start implementing more features and you all come around and break them lol.

I should have known Mosh. Lulz

EDIT: What I learned, Never take anything at face value (why do I always learn the hard way?). The clever lessons that Mosh teaches, I wonder if you plan it that way or if your just such an ass that I force myself to find a silver lining.

I didn't say you were not smart enough, I just don't think you would put that kind of effort into me.

Im sure, though I no longer take what you say at face value. So I will assume it took you hours of planning and research.

You have been planing for months, just waiting for the right moment to strike. Thats why you were so quick to the jump.

I would never do such a thing. :D

Back on topic: I have implemented a unique hit counter that logs new IPs, User Agent, Referrer, and date / time inside of a MySQL database. Feel free to attack, and let me know if you find any results. I will keep updating this thread with alerts of new features as I put them up.

Not sure what the prize will be for reporting the issue to me. Maybe a mod will award community points here on HBH. But I will give you a mention some were on my site for sure.

Yes I sure did. I know someone could try a SQL injection threw the user agent, thats why I posted that feature up there. Just want to make sure its implemented correctly.