Affiliates: Tablecats Lounge! Tinychan! /prog/ Ylilauta! Vectors! Your link here!

Boards: /d/

Topic: Dear Web Administrator,

Eric started this discussion 2 months ago #1,539


I've noticed your site and was intrigued by its design. While looking, I tried and performed a small audit on it to showcase to you some of the possible issues with it. I'll strip out specifics to prevent others from exploiting your site.

Rank from most severe to not very.
- The upload system doesn't validate images which can allow attackers to upload well-crafted image files that execute PHP code to your server. (This can give attackers complete control over your site & server, or at the least cause a exception or a crash in GD)
- Some of the SQL queries here are vulnerable to SQL injection. (This can give attackers access to your entire database and user credentials)
- Some of your pages barely protect users against XSS attacks. (This can be used to steal user credentials, and some private details. Not to mention your session can be hijacked)
- (Maybe) The watching feature can perform a DoS attack on your server by rapidly watching a lot of threads at the same time.
- There is some problem with your account registration that can allow users to rapidly create accounts by refreshing certain pages. Also there is no limit on accounts a user can have (unless they are deleted).
- Your javascript resources are missing.

I only did Black Box testing, as although this site's footer claims it is open source, the links are dead. So I haven't looked at its source code.
I'll visit your site tomorrow 9 PM CET. I hope you can fix those issues before bots scan your site and find out these vulnerabilities.


Anonymous B joined in and replied with this 2 months ago, 5 hours later[Top] #20,806

unauthorized blackbox testing is illegal

(Edited 13 seconds later.)

Anonymous C joined in and replied with this 2 months ago, 16 hours later, 22 hours after the original post[Top] #20,807


> unauthorized blackbox testing is illegal


Are you the webmaster? Either-way, that may be so, but I am just telling you that you have some serious vulnerabilities that need to be patched if you care about your site.
It's better to be exploited first so you know what to fix than for it to be exploited by attackers who then ransom your users' details or deface your site.

Having these security issues is nothing to be ashamed of; every programmer unknowingly gets some. And by that they learn how to avoid them and be more security-conscious in the future.

Take care.
Powered by TinyBBS open source (mit) software. Keep this project alive by donating. This page took 0.00523 seconds to be generated.
All trademarks and copyrights on this page are owned by their respective parties. The images and comments are the responsibility of the posters.

- OtakuTalk Mobile Imageboard + Overtalk Navigator -