![](https://forum.armkb.com/images/enlighten/misc/cat_top_ls.gif) |
Menya vzlomali :( |
![](https://forum.armkb.com/images/enlighten/misc/cat_top_rs.gif) |
24.10.2002, 13:32
|
#1
|
Web developer
Join Date: 09 2002
Location: Yerevan
Age: 43
Posts: 896
Rep Power: 0
|
Menya vzlomali :(
|
|
|
24.10.2002, 14:52
|
#2
|
Магистр
Join Date: 02 2002
Location: Am
Posts: 952
Rep Power: 5
|
ya ponimayu 4to eto ne smeshno..
bajc meka LooL
![Smilie](https://forum.armkb.com/images/smilies/smile.gif) )
moj expo 3-4 -re raza podrat odin i tot je mudak lomal..
prosto s idiotami svyazivatca ne oxota a to spokojno mog iz Arminco IP vzyat i p**j ponaveshat'..
tak 4to prosto vostanovi starij variant i pomenyaj paroli..
|
|
|
24.10.2002, 16:32
|
#3
|
¡no pasaran!
Join Date: 03 2002
Location: localhost
Age: 42
Posts: 540
Rep Power: 5
|
IIS
|
|
|
24.10.2002, 18:31
|
#4
|
Web developer
Join Date: 09 2002
Location: Yerevan
Age: 43
Posts: 896
Rep Power: 0
|
2 Arik:
Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'...
2 DolphiN:
IIS, kak i Apache, kak i drugie Web server-y trebuyut xoroshey nastroyki. U vsex est' svoi minus-y i plus-y, i vsex ix mozhno vzlomat'. V etom sluchae ya nichego sdelat' ne mogu, t.k. hosting to ne moy. Da i kstati, prichem tut IIS, kogda kak slomali lish' forum???
|
|
|
24.10.2002, 19:54
|
#5
|
Магистр
Join Date: 02 2002
Location: Am
Posts: 952
Rep Power: 5
|
2 Aram Ghazanchyan
Polnostyu soglasen..
|
|
|
25.10.2002, 00:29
|
#6
|
Главный Лысый
Join Date: 10 2001
Location: AM
Age: 46
Posts: 2,829
Rep Power: 5
|
Arik, zachastuyu delo ne v parolyakh i nastroykakh web-servera. Samiy prostoy primer - esli u tebya v prilozhenii khranitsya chast' code-a v .inc file-akh, a na web-servere ne nastroen zapret na vydachu etikh file-ov bez parsing-a, to lyuboy mozhet zaprosit URL s etim file-om, i uvidet' ego source. BTW na armincovskom hosting-e imenno takaya situaciya.....
I nebol'shoy IMHO. Esli vzlomali - to snachala nado viyasnit' kak eto sdelali, i tol'ko potom vosstanavlivat'sya iz backup-ov.
Regards
__________________
Ruben Muradyan
Technical Director
PanARMENIAN Network: Armenian News
----------------------------------------------------
Лысина - это полянка, вытоптанная мыслями.
----------------------------------------------------
|
|
|
![](https://forum.armkb.com/images/enlighten/misc/cat_top_ls.gif) |
|
![](https://forum.armkb.com/images/enlighten/misc/cat_top_rs.gif) |
25.10.2002, 00:47
|
#7
|
Главный Лысый
Join Date: 10 2001
Location: AM
Age: 46
Posts: 2,829
Rep Power: 5
|
Eto prosto oznachaet to chto gotovye produkty prosto ispol'zovat' nel'zya, vse nado samomu pisat'...
Zdes' est' neskol'ko nuansov.
1. Ya s etim utverzhdeniem polnostyu soglasen, pravda ne iz soobrazheniy bezopasnosti......
2. Pisat' nado ochen' vnimatel'no. Prichem Nastoyatel'no rekomenduyu imet' v comande gramotnogo sysadmina. Delo v tom, chto bol'shinstvo oshibok viyavlyayutsya na urovne proverki sootvetstviya standartam. V kachestve prostogo primera. Na odnom Web - server-e vse files .html parsyatsya s pomoshyu php vne zavisimosti est' v etom file-e php cod ili net. S odnoy storony udobno. S drugoy storony ne peredaetsya header "Last-Modified" I generiruetsya namnogo bol'she traffic-a.....
3. Esli comanda bol'shaya nado imet' khotya by odnogo chela, osushestvlyayushego security audit code-a....
4. Vnimatel'no chitat' whitepapers. Ogromnoe kol-vo site-ov podverzheno Oshibkam tipa Cros-Site Scripting.
5. Esli administrator servera chelovek nedostupniy(hosting), to vnimatel'no izuchit' configuratsiyu servera i pisat' v sootvetstvii s etim. V sluchae s arminco - ne khranit' kuski code-a v .inc file-ak, a pereimenovat' ikh v .php.
6. podpisat'sya na sootvetstvuyushie mailing listy. Potomu chto periodicheski voznikayut novie uyazvimosti......
Vot vrode i vse
|
|
|
![](https://forum.armkb.com/images/enlighten/misc/trans.gif) |
25.10.2002, 13:49
|
#8
|
Web developer
Join Date: 09 2002
Location: Yerevan
Age: 43
Posts: 896
Rep Power: 0
|
2 Pascal:
Thanks za podrobnuyu informaciyu.
Ya dumayu chto vse configure file-y, nuzhno xranit' v *.inc.php(asp) file-ax.
Ne mo by ty rasskazat' chto takoe "Cros-Site Scripting"?
|
|
|
25.10.2002, 17:56
|
#9
|
Магистр
Join Date: 02 2002
Location: Am
Posts: 952
Rep Power: 5
|
immeno..
4to takoe : "Cros-Site Scripting"
|
|
|
![](https://forum.armkb.com/images/enlighten/misc/cat_top_ls.gif) |
|
![](https://forum.armkb.com/images/enlighten/misc/cat_top_rs.gif) |
25.10.2002, 21:59
|
#10
|
Главный Лысый
Join Date: 10 2001
Location: AM
Age: 46
Posts: 2,829
Rep Power: 5
|
"What is Cross Site Scripting?"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, web board, email, or from an instant message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.
Nebol'shoe obyasnenie XSS oshibok sdelannykh programmerom web-prilozheniy nakhoditsya zdes' http://www.cert.org/archive/pdf/cros..._scripting.pdf
A vot opisanie oshibok etogo tipa dopushennoy razrabotchikami servera
http://www.kb.cert.org/vuls/id/520707
http://www.cgisecurity.com/archive/w...2.0.43-xss.txt
Vot tut guide po napisaniyu bezopasnykh web-prilozheniy. IMHO etu vesh nado raspechatat' i chitat' kak Bibliyu
http://online.securityfocus.com/data...vices-V1.0.pdf
A voobshe http://www.cgisecurity.com/
Regards
|
|
|
![](https://forum.armkb.com/images/enlighten/misc/trans.gif) |
26.10.2002, 03:33
|
#11
|
Профессор
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Rep Power: 0
|
Ghazanchyan, a pochemu ty vovremya bug fixes ne delal?????
etomu bug-u, kotorye ispol'zuyut stambulskie shenki, uzhe mesyaca 4 kak minimum.
prochitay na snitz forume i smeni potom parol'...
2 Arik
tebya lomali 3 raza, i ty dazhe ne interesuyeshsya pochemu??????
|
|
|
26.10.2002, 03:34
|
#12
|
Профессор
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Rep Power: 0
|
2 Pascal
es urish bug a, u kapvaca sql inject-i het....
|
|
|
26.10.2002, 03:43
|
#13
|
Главный Лысый
Join Date: 10 2001
Location: AM
Age: 46
Posts: 2,829
Rep Power: 5
|
groul
Ya privel primer....
Delo v tom, chto ochen' malo web-developerov prinimayut mery po obespecheniyu bezopasnosti svoikh site-ov....
XSS - eto klassika nevnimatel'nogo programmera.....
|
|
|
26.10.2002, 03:52
|
#14
|
Профессор
Join Date: 01 2002
Location: New York, USA
Posts: 2,938
Rep Power: 0
|
sql inject - tozhe ![Smilie](https://forum.armkb.com/images/smilies/smile.gif) )))
vsego to nado vnimatel'no server side validation delat'...
kstati ya kak-to god nazad pisal user authentication system i stal smotret' raznye statyu na web. Iz 7-i prochitannyx statej, v 5-i ne bylo ni slova o validation (a ved' te kto pisali statyi, vrode by uzhe opytnye programmery)
Chto eto znachit? Eto znachit, chto real'no 60% site-ov srednego urovnya mozhno "polozhit'" tol'ko za schet necorrectnogo osushestvleniya mexanizma validation...
|
|
|
26.10.2002, 05:08
|
#15
|
Консервативн
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Rep Power: 0
|
My 2c
Eshe odna dowlo'no populyarnaya oshibka authenication-a,
Code:
if($login == "admin" &&$pass == "mypass")
$auth = 1;
..
...
..
if ($auth){
/* ADMIN STAFF */
}
Esli v konfigurachii php vrublen mekhanizm "RESGISTER_GLOBALS" to mojno spokoyno poluchit' dotup admin nabrav htt://some_victim/admin.php?auth=1
|
|
|
All times are GMT. The time now is 05:43. |
|
|