Recent Posts1
COMPUTER TECH HELP FORUM / Re: Penetration Test on Beemaster ?
« Last post by eivindm on Today at 11:52:24 am »I had initially thought of not replying to you as I don't think you deserve the attention you try to get. But to assure the other members that we are not into deep security issues I will anyways:
1. If you ever place your security in the fact that your admin URL is not easy to guess, you are simply doing it wrong. It is perfectly possible to secure the admin login with other means.
2. The exploit you point to is old, very old in fact. This issue was patched here a long time ago. An exploit to a previous version is not a problem for us. You could at least checked if our version was affected as we don't even hide our current version. That said; popular software like wordpress and SMF have had many security issues. If you had looked for it you would have found many of them. Running old versions is always a bad idea.
3. Manipulating post counts: We have run this site for many many years. It is not strange we have a high post count.
4. Congratulations. You learned to reverse lookup on DNS and found that the server runs other sites as well. My company runs a two digit number of sites behind the same IP with a 6 digit number of users. I handle security issues for many of them, and I sleep very well at night.
5. Allowing random parameters to the URL: You mean any random URL parameter should cause a 403 HTTP response, or just a strip off of the parameter with a 302 redirect? Why would this make the site more secure? In order to get a security issue this must be picked up somehow meaning that either the back end code or the front end code would have to pick it up and evaluate it or print it to the response un escaped. Any code showing data from a parameter should escape the data, no matter if it belongs to a supported parameter or not. Whitelisting parameters won't help for this. In fact; many frameworks auto escapes data like this unless otherwise stated. PHP does not, but any programmer with basic skills should know how to handle this. Try random code at a site like CNN. They don't strip it off with a 302 or give a 403 either. Millions of lines of code to a GET request won't even work: Apache has a default limit of 8K in the header and IIS has 16K, so it is hard to fit million of lines of code into a 8K header.
I don't appreciate your attitude. You got a warning for a good reason, so handle it and move on. You obviously want to make us mods look bad because of this by finding "security issues". That is a very bad start when you are fairly new to a forum. If you in any way was concerned about the security, you should have approached the admins/mods and give us a heads up, not posted this in public. That is basic security knowledge. We do in fact appreciate any tip about security issues when it is done with a positive attitude and is meant to help.
I will close this thread now as I don't have any wish to fight you in public. I just replied to assure the users that all is well.
1. If you ever place your security in the fact that your admin URL is not easy to guess, you are simply doing it wrong. It is perfectly possible to secure the admin login with other means.
2. The exploit you point to is old, very old in fact. This issue was patched here a long time ago. An exploit to a previous version is not a problem for us. You could at least checked if our version was affected as we don't even hide our current version. That said; popular software like wordpress and SMF have had many security issues. If you had looked for it you would have found many of them. Running old versions is always a bad idea.
3. Manipulating post counts: We have run this site for many many years. It is not strange we have a high post count.
4. Congratulations. You learned to reverse lookup on DNS and found that the server runs other sites as well. My company runs a two digit number of sites behind the same IP with a 6 digit number of users. I handle security issues for many of them, and I sleep very well at night.
5. Allowing random parameters to the URL: You mean any random URL parameter should cause a 403 HTTP response, or just a strip off of the parameter with a 302 redirect? Why would this make the site more secure? In order to get a security issue this must be picked up somehow meaning that either the back end code or the front end code would have to pick it up and evaluate it or print it to the response un escaped. Any code showing data from a parameter should escape the data, no matter if it belongs to a supported parameter or not. Whitelisting parameters won't help for this. In fact; many frameworks auto escapes data like this unless otherwise stated. PHP does not, but any programmer with basic skills should know how to handle this. Try random code at a site like CNN. They don't strip it off with a 302 or give a 403 either. Millions of lines of code to a GET request won't even work: Apache has a default limit of 8K in the header and IIS has 16K, so it is hard to fit million of lines of code into a 8K header.
I don't appreciate your attitude. You got a warning for a good reason, so handle it and move on. You obviously want to make us mods look bad because of this by finding "security issues". That is a very bad start when you are fairly new to a forum. If you in any way was concerned about the security, you should have approached the admins/mods and give us a heads up, not posted this in public. That is basic security knowledge. We do in fact appreciate any tip about security issues when it is done with a positive attitude and is meant to help.
I will close this thread now as I don't have any wish to fight you in public. I just replied to assure the users that all is well.