@tp: spotted a hole in the walls of Arkham — OZONE Asylum, home of the Mad Scientists

Mad Scientists' Laboratory

@tp: spotted a hole in the walls of Arkham

This page's ID: 28472

Edit Post

Who can edit a post?	The poster and administrators may edit a post. The poster can only edit it for a short while after the initial post.

Your User Name:
Your Password:
Login Options:	Remember Me On This Computer

Your Text: Insert Slimies » Insert UBB Code » Close Last Tag \| All Tags UBB Help	Thank you. * [i]Incidentially, your account has been locked for hacking the Asylum[/i].** Here's the run down for the rest of you. Mauro discovered a way to receive a directory listing from the Asylum's webserver. Ie. a list of files, automatically generated by apache, for any directory on the server. Using that list he was able to find a file containing a call to ->phpinfo(), a function which tells you what versions the various software on a server reports itself as. In addition he was able to call any of the php scripts the grail usually includes from one main file directly, creating 'error messages in every 'software module of the Asylum'. Now, while this has been portraied by a member of the asylum as if the roof fell down, none of it revealed anything that an attacker couldn't have gained another way. [ulist] Directory listing: The grail's open source. I have shared the code with over 2 dozen people. Relying on obscurity is a pretty daft idea. Version information is usless. A server might be patched, especially at a bigger webhosting provider, without actually being the newest version. And trying exploits is cheap - you would not skip a known exploit, just because the server claimed to be a secure version. While all of the php includes will throw error messages, virtually every one will be 'function not found' within the first three lines of code. They do not include the main include file, which contains a lot of functions used througout the code. For example, neither file nor database, nor cookie access can happen in the code without that main include file. [/ulist] There are some improvments to be made though: [ulist]I have disabled the directorylisting. That means Options -Indexes in .htaccss. In the same vein, it's no longer possible to call the includes directly. [/ulist] So long, ->Tyberius Prime I have some rather snide remarks for people who barely answer sensitive matters within a business day, but complain if they don't receive a 'thank you' within less than 24 hours. Alas, I'm afraid my english isn't up to it. And boy, your definition of 'discreet' or 'secretly' must have been written while being on a certain powdery substance... **jk. Edit: Typos typos typos. Buy Two, pay three! [small](Edited by [url=http://www.ozoneasylum.com/user/1424]Tyberius Prime[/url] on 09-27-2006 16:04)[/small] Loading...
Options:	Enable Slimies Enable Linkwords

« Backwards — Onwards »

Show Forum Drop Down Menu