dislosing a vunerability

What is right? Is there right? Are you right?

dislosing a vunerability

Post by graham_chow on Sat Aug 14, 2010 4:48 pm
([msg=43744]see dislosing a vunerability[/msg])

About a week ago, I rang up a company because their web site had obviously been hacked. I went back yesterday and they had fixed it up. I noticed a few things like directory listing of obviously content that should not be publicly available and then I stumbled upon a hidden "admin logon page". Having just completed realistic 2 and having a user name I could not resist in trying the SQL injection hack. I'm in and it presented me with lots of nice tools to add and remove content to their site :o . I can't anonymously call this time because the technical detail is too high for the receptionist. Is the best bet to send them snail mail or should I just move on and forget about it? It is not an ecommerce site, but they would have enermies who would like to deface their website. It is not a political website - they just do necessary things that the public generally don't like.
graham_chow
New User
New User
 
Posts: 2
Joined: Sat Aug 14, 2010 4:36 pm
Blog: View Blog (0)


Re: dislosing a vunerability

Post by Assassian360 on Sat Aug 14, 2010 6:28 pm
([msg=43748]see Re: dislosing a vunerability[/msg])

graham_chow wrote:About a week ago, I rang up a company because their web site had obviously been hacked. I went back yesterday and they had fixed it up. I noticed a few things like directory listing of obviously content that should not be publicly available and then I stumbled upon a hidden "admin logon page". Having just completed realistic 2 and having a user name I could not resist in trying the SQL injection hack. I'm in and it presented me with lots of nice tools to add and remove content to their site :o . I can't anonymously call this time because the technical detail is too high for the receptionist. Is the best bet to send them snail mail or should I just move on and forget about it? It is not an ecommerce site, but they would have enermies who would like to deface their website. It is not a political website - they just do necessary things that the public generally don't like.


I would suggest trying to send an email first. If they don't respond send another or give them a call.
They'd probably like to know about it.
Assassian360
Poster
Poster
 
Posts: 135
Joined: Sat Jun 26, 2010 1:37 am
Blog: View Blog (0)


Re: dislosing a vunerability

Post by Goatboy on Sat Aug 14, 2010 6:43 pm
([msg=43749]see Re: dislosing a vunerability[/msg])

Anonymous email is the way to go.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2815
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: dislosing a vunerability

Post by Seraph89 on Sun Aug 22, 2010 11:04 am
([msg=44063]see Re: dislosing a vunerability[/msg])

Anonymous email will be a winner, that way they know and you cant be targeted for illegal activities :D

Good job tho.
Seraph89
New User
New User
 
Posts: 6
Joined: Sun Aug 22, 2010 8:36 am
Blog: View Blog (0)



Return to Ethics

Who is online

Users browsing this forum: No registered users and 0 guests