Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Webmaster Zone > Showcase
Register

Reply
 
LinkBack Thread Tools
Old 24.10.2002, 14:32   #1
Web developer
 
Aram Ghazanchyan's Avatar
 
Join Date: 09 2002
Location: Yerevan
Age: 36
Posts: 896
Downloads: 1
Uploads: 0
Reputation: 9 | 0
Post Menya vzlomali :(

http://www.ghazanchyan.com/forum
Reply With Quote
Old 24.10.2002, 15:52   #2
Магистр
 
Join Date: 02 2002
Location: Am
Posts: 952
Downloads: 0
Uploads: 0
Reputation: 26 | 4
Post

Quote:
Originally posted by Aram Ghazanchyan:
http://www.ghazanchyan.com/forum
ya ponimayu 4to eto ne smeshno..
bajc meka LooL
)

moj expo 3-4 -re raza podrat odin i tot je mudak lomal..
prosto s idiotami svyazivatca ne oxota a to spokojno mog iz Arminco IP vzyat i p**j ponaveshat'..

tak 4to prosto vostanovi starij variant i pomenyaj paroli..
Reply With Quote
Old 24.10.2002, 17:32   #3
¡no pasaran!
 
dolphin's Avatar
 
Join Date: 03 2002
Location: localhost
Age: 35
Posts: 540
Downloads: 0
Uploads: 0
Reputation: 13 | 4
Talking

IIS
Reply With Quote
Old 24.10.2002, 19:31   #4
Web developer
 
Aram Ghazanchyan's Avatar
 
Join Date: 09 2002
Location: Yerevan
Age: 36
Posts: 896
Downloads: 1
Uploads: 0
Reputation: 9 | 0
Post

2 Arik:
Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'...

2 DolphiN:
IIS, kak i Apache, kak i drugie Web server-y trebuyut xoroshey nastroyki. U vsex est' svoi minus-y i plus-y, i vsex ix mozhno vzlomat'. V etom sluchae ya nichego sdelat' ne mogu, t.k. hosting to ne moy. Da i kstati, prichem tut IIS, kogda kak slomali lish' forum???
Reply With Quote
Old 24.10.2002, 20:54   #5
Магистр
 
Join Date: 02 2002
Location: Am
Posts: 952
Downloads: 0
Uploads: 0
Reputation: 26 | 4
Post

2 Aram Ghazanchyan
Polnostyu soglasen..
Reply With Quote
Old 25.10.2002, 01:29   #6
Главный Лысый
 
Pascal's Avatar
 
Join Date: 10 2001
Location: AM
Age: 39
Posts: 2,829
Downloads: 4
Uploads: 0
Reputation: 28 | 4
Post

Arik, zachastuyu delo ne v parolyakh i nastroykakh web-servera. Samiy prostoy primer - esli u tebya v prilozhenii khranitsya chast' code-a v .inc file-akh, a na web-servere ne nastroen zapret na vydachu etikh file-ov bez parsing-a, to lyuboy mozhet zaprosit URL s etim file-om, i uvidet' ego source. BTW na armincovskom hosting-e imenno takaya situaciya.....

I nebol'shoy IMHO. Esli vzlomali - to snachala nado viyasnit' kak eto sdelali, i tol'ko potom vosstanavlivat'sya iz backup-ov.

Regards
__________________
Ruben Muradyan
Technical Director
PanARMENIAN Network: Armenian News

----------------------------------------------------
Лысина - это полянка, вытоптанная мыслями.
----------------------------------------------------
Reply With Quote
Old 25.10.2002, 01:47   #7
Главный Лысый
 
Pascal's Avatar
 
Join Date: 10 2001
Location: AM
Age: 39
Posts: 2,829
Downloads: 4
Uploads: 0
Reputation: 28 | 4
Post

Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'...

Zdes' est' neskol'ko nuansov.
1. Ya s etim utverzhdeniem polnostyu soglasen, pravda ne iz soobrazheniy bezopasnosti......
2. Pisat' nado ochen' vnimatel'no. Prichem Nastoyatel'no rekomenduyu imet' v comande gramotnogo sysadmina. Delo v tom, chto bol'shinstvo oshibok viyavlyayutsya na urovne proverki sootvetstviya standartam. V kachestve prostogo primera. Na odnom Web - server-e vse files .html parsyatsya s pomoshyu php vne zavisimosti est' v etom file-e php cod ili net. S odnoy storony udobno. S drugoy storony ne peredaetsya header "Last-Modified" I generiruetsya namnogo bol'she traffic-a.....
3. Esli comanda bol'shaya nado imet' khotya by odnogo chela, osushestvlyayushego security audit code-a....
4. Vnimatel'no chitat' whitepapers. Ogromnoe kol-vo site-ov podverzheno Oshibkam tipa Cros-Site Scripting.
5. Esli administrator servera chelovek nedostupniy(hosting), to vnimatel'no izuchit' configuratsiyu servera i pisat' v sootvetstvii s etim. V sluchae s arminco - ne khranit' kuski code-a v .inc file-ak, a pereimenovat' ikh v .php.
6. podpisat'sya na sootvetstvuyushie mailing listy. Potomu chto periodicheski voznikayut novie uyazvimosti......

Vot vrode i vse
Reply With Quote
Old 25.10.2002, 14:49   #8
Web developer
 
Aram Ghazanchyan's Avatar
 
Join Date: 09 2002
Location: Yerevan
Age: 36
Posts: 896
Downloads: 1
Uploads: 0
Reputation: 9 | 0
Post

2 Pascal:
Thanks za podrobnuyu informaciyu.
Ya dumayu chto vse configure file-y, nuzhno xranit' v *.inc.php(asp) file-ax.
Ne mo by ty rasskazat' chto takoe "Cros-Site Scripting"?
Reply With Quote
Old 25.10.2002, 18:56   #9
Магистр
 
Join Date: 02 2002
Location: Am
Posts: 952
Downloads: 0
Uploads: 0
Reputation: 26 | 4
Post

immeno..
4to takoe : "Cros-Site Scripting"
Reply With Quote
Old 25.10.2002, 22:59   #10
Главный Лысый
 
Pascal's Avatar
 
Join Date: 10 2001
Location: AM
Age: 39
Posts: 2,829
Downloads: 4
Uploads: 0
Reputation: 28 | 4
Post


"What is Cross Site Scripting?"

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, web board, email, or from an instant message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.


Nebol'shoe obyasnenie XSS oshibok sdelannykh programmerom web-prilozheniy nakhoditsya zdes' http://www.cert.org/archive/pdf/cros..._scripting.pdf

A vot opisanie oshibok etogo tipa dopushennoy razrabotchikami servera
http://www.kb.cert.org/vuls/id/520707
http://www.cgisecurity.com/archive/w...2.0.43-xss.txt

Vot tut guide po napisaniyu bezopasnykh web-prilozheniy. IMHO etu vesh nado raspechatat' i chitat' kak Bibliyu
http://online.securityfocus.com/data...vices-V1.0.pdf

A voobshe http://www.cgisecurity.com/

Regards
Reply With Quote
Old 26.10.2002, 04:33   #11
Профессор
 
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

Ghazanchyan, a pochemu ty vovremya bug fixes ne delal?????

etomu bug-u, kotorye ispol'zuyut stambulskie shenki, uzhe mesyaca 4 kak minimum.

prochitay na snitz forume i smeni potom parol'...

2 Arik

tebya lomali 3 raza, i ty dazhe ne interesuyeshsya pochemu??????
Reply With Quote
Old 26.10.2002, 04:34   #12
Профессор
 
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

2 Pascal

es urish bug a, u kapvaca sql inject-i het....
Reply With Quote
Old 26.10.2002, 04:43   #13
Главный Лысый
 
Pascal's Avatar
 
Join Date: 10 2001
Location: AM
Age: 39
Posts: 2,829
Downloads: 4
Uploads: 0
Reputation: 28 | 4
Post

groul
Ya privel primer....

Delo v tom, chto ochen' malo web-developerov prinimayut mery po obespecheniyu bezopasnosti svoikh site-ov....
XSS - eto klassika nevnimatel'nogo programmera.....
Reply With Quote
Old 26.10.2002, 04:52   #14
Профессор
 
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

sql inject - tozhe )))

vsego to nado vnimatel'no server side validation delat'...

kstati ya kak-to god nazad pisal user authentication system i stal smotret' raznye statyu na web. Iz 7-i prochitannyx statej, v 5-i ne bylo ni slova o validation (a ved' te kto pisali statyi, vrode by uzhe opytnye programmery)

Chto eto znachit? Eto znachit, chto real'no 60% site-ov srednego urovnya mozhno "polozhit'" tol'ko za schet necorrectnogo osushestvleniya mexanizma validation...
__________________
Karen Vrtanesyan, աջակցող

ArmenianHouse.org - Armenian Library and Forum.
Literary Cafe - Young Armenian writers and poets
Reply With Quote
Old 26.10.2002, 06:08   #15
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

My 2c

Eshe odna dowlo'no populyarnaya oshibka authenication-a,
Code:
if($login == "admin" &&$pass == "mypass") 
    $auth = 1;

..
...
..

if ($auth){
/* ADMIN  STAFF  */

}
Esli v konfigurachii php vrublen mekhanizm "RESGISTER_GLOBALS" to mojno spokoyno poluchit' dotup admin nabrav htt://some_victim/admin.php?auth=1
Reply With Quote
Sponsored Links
Reply

Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 18:44.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.