Hack with confidence.
Page home.php is vulnerable to at least the following:
This is the home page. Its primary purpose is to provide a starting page for the user and provide instructions. There are no known vulnerabilties on the home.php page.
The UID cookie is used in an SQL query allowing SQL injection via a cookie value.
Remote File Inclusion: This page is vulnerable to remote file inclusion if the PHP server configuration parameters "allow_url_fopen" and "allow_url_include" are set to "On" in php.ini.
Local File Inclusion: This page is vulnerable to local file inclusion if the user account under which PHP is running has access to files besides the intended web site files.
The index page has several global vulnerabilities.
Directory Browsing: The entire site is vulnerable to directory browsing. Looking at the robots.txt file can provide hints of interesting directories.
The "page" input parameter is vulnerable to insecure direct object reference. Fuzzing the parameter with administrative page names or system file paths is likely to yield results.
Check HTML comments for database credentials.
Cookies are missing the HTTPOnly attribute and may be accessed via cross-site scripting.
The hints cookie and other cookies can be hacked to login as another user and gain admin access.
Output fields such as the logged-in username, signature, and the footer are vulnerable to cross-site scripting.
SSLStrip can be used to downgrade the connection when the Enforce SSL button is selected.