Welcome, Guest

Author Topic: Penetration Test on Beemaster ?  (Read 998 times)

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Penetration Test on Beemaster ?
« on: August 21, 2017, 09:29:16 am »
Well I just found the admin login screen.
https://beemaster.com/forum/index.php?action=admin

So that's a bad start right there. You don't want bleep even finding that bleep tbh.

Im gonna keep looking....

Ok so your censors are ok.

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #1 on: August 21, 2017, 09:43:32 am »
And then.....https://www.exploit-db.com/exploits/24445/

$^* ? Lucky I'm a white hat yo . Goodnight .

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #2 on: August 21, 2017, 09:47:09 am »
Without publishing it on your site, it would appear that manipulating post numbers data, it is possible to see WAYY to much on here.

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #3 on: August 21, 2017, 09:52:24 am »

IP Address   104.237.142.38 - 2 other sites hosted on this server     
IP Location   United States - New Jersey - Pomona - Linode Llc



Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #4 on: August 21, 2017, 09:56:00 am »
104.237.142.38


This takes me to beefreaks....weird

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #5 on: August 21, 2017, 10:03:19 am »
http://beefreaks.com/wp-login.php

Another easy to find login......

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #6 on: August 21, 2017, 10:17:21 am »
Guys....giving the attacker a warning isn't gonna stop your site getting wrecked.....

So basically I found where your software sucks....

I can insert complete BS into the browser and it accepts it.

For example: https://beemaster.com/forum/index.php?instructDeceptaconHere0101010

As a link still works. That should be an error or something. I could put a million lines of code in there.

Anyways: thanks for the warning, and lucky I'm not malicious. Out.

P.S. Your Mod powers should have had this account closed and me banned by now. So yeah...

Offline M3RLIN

  • New Bee
  • *
  • Posts: 19
  • Gender: Male
Re: Penetration Test on Beemaster ?
« Reply #7 on: August 21, 2017, 10:58:38 am »
https://beemaster.com/archive/

This is actually pretty neat. I like it.

Offline eivindm

  • Global Moderator
  • Field Bee
  • *******
  • Posts: 707
  • Gender: Male
    • Eivind's page
Re: Penetration Test on Beemaster ?
« Reply #8 on: August 21, 2017, 11:52:24 am »
I had initially thought of not replying to you as I don't think you deserve the attention you try to get. But to assure the other members that we are not into deep security issues I will anyways:

1. If you ever place your security in the fact that your admin URL is not easy to guess, you are simply doing it wrong. It is perfectly possible to secure the admin login with other means.

2. The exploit you point to is old, very old in fact. This issue was patched here a long time ago. An exploit to a previous version is not a problem for us. You could at least checked if our version was affected as we don't even hide our current version. That said; popular software like wordpress and SMF have had many security issues. If you had looked for it you would have found many of them. Running old versions is always a bad idea.

3. Manipulating post counts: We have run this site for many many years. It is not strange we have a high post count.

4. Congratulations. You learned to reverse lookup on DNS and found that the server runs other sites as well. My company runs  a two digit number of sites behind the same IP with a 6 digit number of users. I handle security issues for many of them, and I sleep very well at night.

5. Allowing random parameters to the URL: You mean any random URL parameter should cause a 403 HTTP response, or just a strip off of the parameter with a 302 redirect? Why would this make the site more secure? In order to get a security issue this must be picked up somehow meaning that either the back end code or the front end code would have to pick it up and evaluate it or print it to the response un escaped. Any code showing data from a parameter should escape the data, no matter if it belongs to a supported parameter or not. Whitelisting parameters won't help for this. In fact; many frameworks auto escapes data like this unless otherwise stated. PHP does not, but any programmer with basic skills should know how to handle this. Try random code at a site like CNN. They don't strip it off with a 302 or give a 403 either.  Millions of lines of code to a GET request won't even work: Apache has a default limit of 8K in the header and IIS has 16K, so it is hard to fit million of lines of code into a 8K header.

I don't appreciate your attitude. You got a warning for a good reason, so handle it and move on. You obviously want to make us mods look bad because of this by finding "security issues". That is a very bad start when you are fairly new to a forum. If you in any way was concerned about the security, you should have approached the admins/mods and give us a heads up, not posted this in public. That is basic security knowledge. We do in fact appreciate any tip about security issues when it is done with a positive attitude and is meant to help.

I will close this thread now as I don't have any wish to fight you in public. I just replied to assure the users that all is well.