Page 1 of 1

dislosing a vunerability

PostPosted: Sat Aug 14, 2010 4:48 pm
by graham_chow
About a week ago, I rang up a company because their web site had obviously been hacked. I went back yesterday and they had fixed it up. I noticed a few things like directory listing of obviously content that should not be publicly available and then I stumbled upon a hidden "admin logon page". Having just completed realistic 2 and having a user name I could not resist in trying the SQL injection hack. I'm in and it presented me with lots of nice tools to add and remove content to their site :o . I can't anonymously call this time because the technical detail is too high for the receptionist. Is the best bet to send them snail mail or should I just move on and forget about it? It is not an ecommerce site, but they would have enermies who would like to deface their website. It is not a political website - they just do necessary things that the public generally don't like.

Re: dislosing a vunerability

PostPosted: Sat Aug 14, 2010 6:28 pm
by Assassian360
graham_chow wrote:About a week ago, I rang up a company because their web site had obviously been hacked. I went back yesterday and they had fixed it up. I noticed a few things like directory listing of obviously content that should not be publicly available and then I stumbled upon a hidden "admin logon page". Having just completed realistic 2 and having a user name I could not resist in trying the SQL injection hack. I'm in and it presented me with lots of nice tools to add and remove content to their site :o . I can't anonymously call this time because the technical detail is too high for the receptionist. Is the best bet to send them snail mail or should I just move on and forget about it? It is not an ecommerce site, but they would have enermies who would like to deface their website. It is not a political website - they just do necessary things that the public generally don't like.


I would suggest trying to send an email first. If they don't respond send another or give them a call.
They'd probably like to know about it.

Re: dislosing a vunerability

PostPosted: Sat Aug 14, 2010 6:43 pm
by Goatboy
Anonymous email is the way to go.

Re: dislosing a vunerability

PostPosted: Sun Aug 22, 2010 11:04 am
by Seraph89
Anonymous email will be a winner, that way they know and you cant be targeted for illegal activities :D

Good job tho.