Privacy.io - Low-cost, guaranteed anonymous VPNs
[Advertise With HackThisSite.org]

Hack This Site - Forums Index

Website Security

General technological topics without their own forum go here
Post a reply

Re: Website Security

Post by gauravweb on Sun Dec 06, 2009 3:11 pm
([msg=31087]see Re: Website Security[/msg])

thedotmaster wrote:http://www.risingfaizabad.com/article-view.php?id= <-- vulnerable to SQL injection
http://www.risingfaizabad.com/category.php?id=aaa <-- something is going on there, not sure what



The error on these pages are just header change request and I know about it. However I have edited both the pages. The most important thing for me is how could he get my password.?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)

Re: Website Security

Post by Goatboy on Sun Dec 06, 2009 4:46 pm
([msg=31088]see Re: Website Security[/msg])

gauravweb wrote:
thedotmaster wrote:http://www.risingfaizabad.com/article-view.php?id= <-- vulnerable to SQL injection
http://www.risingfaizabad.com/category.php?id=aaa <-- something is going on there, not sure what



The error on these pages are just header change request and I know about it. However I have edited both the pages. The most important thing for me is how could he get my password.?

If you want us to really be able to help you, it would be nice to see some source code. Although the attacker was able to get in (presumably) without it, we would be much more able to help if we could see exactly what is going on behind the scenes.

I know you may be reluctant to do this, and that is entirely understandable. However, I can only say that full transparency is often the way to go in security review
Mundus Vult Decipi
User avatar
Goatboy
Expert
Expert
 
Posts: 2443
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)

Re: Website Security

Post by gauravweb on Tue Dec 08, 2009 3:04 am
([msg=31154]see Re: Website Security[/msg])

Goatboy wrote:
gauravweb wrote:
thedotmaster wrote:http://www.risingfaizabad.com/article-view.php?id= <-- vulnerable to SQL injection
http://www.risingfaizabad.com/category.php?id=aaa <-- something is going on there, not sure what



The error on these pages are just header change request and I know about it. However I have edited both the pages. The most important thing for me is how could he get my password.?

If you want us to really be able to help you, it would be nice to see some source code. Although the attacker was able to get in (presumably) without it, we would be much more able to help if we could see exactly what is going on behind the scenes.

I know you may be reluctant to do this, and that is entirely understandable. However, I can only say that full transparency is often the way to go in security review


I can give you the source code but first tell me which code do you want? And as I have mentioned before, the most important concern for me is how he can get the password of my account?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)

Re: Website Security

Post by Goatboy on Tue Dec 08, 2009 10:12 am
([msg=31161]see Re: Website Security[/msg])

We've already listed some ways he could have gotten in, but there are many, and they are all just guesses. We probably can't tell you exactly how he got in, but if we had the source we could review it and narrow it down. From there, we could tell you what to fix, and maybe even how to fix it.

That said, it would be the most helpful to have full source. I realize this is not always legally possible or personally desirable. In that case, we should at least see the scripts which handle logins.

The bottom line is, you're going to get more help if you give us more to work with.
Mundus Vult Decipi
User avatar
Goatboy
Expert
Expert
 
Posts: 2443
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)

Re: Website Security

Post by gauravweb on Tue Dec 08, 2009 10:18 am
([msg=31163]see Re: Website Security[/msg])

Goatboy wrote:We've already listed some ways he could have gotten in, but there are many, and they are all just guesses. We probably can't tell you exactly how he got in, but if we had the source we could review it and narrow it down. From there, we could tell you what to fix, and maybe even how to fix it.

That said, it would be the most helpful to have full source. I realize this is not always legally possible or personally desirable. In that case, we should at least see the scripts which handle logins.

The bottom line is, you're going to get more help if you give us more to work with.



Okay then I'm sending you the code as PM.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)

Re: Website Security

Post by Goatboy on Tue Dec 08, 2009 10:20 am
([msg=31164]see Re: Website Security[/msg])

>_<

That's not what I meant, but okay. Should I share it with thedotmaster as well?
Mundus Vult Decipi
User avatar
Goatboy
Expert
Expert
 
Posts: 2443
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)

Re: Website Security

Post by gauravweb on Tue Dec 08, 2009 10:25 am
([msg=31165]see Re: Website Security[/msg])

Goatboy wrote:>_<

That's not what I meant, but okay. Should I share it with thedotmaster as well?


Me and thedotmaster are already working on this. However you can share this with him too.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)
Previous
Post a reply

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

Disclaimer :
HackThisSite does not support illegal activities.
The management of this board is not responsible for the content of any external internet sites.
Powered by phpBB © 2000-2009 phpBB Group
Carbon Style By Echo -=Designs By Echo=- © 2007 Echo
Administration Control Panel