Off topic[ended - no winners] QUIZ: what's wrong with this part of the wechall website| Author | Post | |||
| unknown user |
csrf key does not hold my interest. Nor does the duplicate ID. all valid I guess, but i'm looking for that one thing .. You know ... |
|||
| 21.04.2008 21:12:22 |
|
|||
theAnswer             |
The line break in <DIV CLASS='website'>? User number is not 202 but 203? Something about the nbsp's? No idea. Appearently it's not about clean html code. |
|||
 21.04.2008 21:29:51 |
|
|||
| unknown user |
 Quote from theAnswer:No idea. Appearently it's not about clean html code.  yeah i'm being a bit cruel.as you might suspect it's security related. I didn't post it in the vulnerable code section, beause i'm to lazy to generate an exploit. And it's so blatantly obvious ... so round 2: think security |
|||
| 21.04.2008 21:48:21 |
|
|||
quangntenemy    |
OK so it's insecure because it's php?  Well maybe u can make it more secure by encrypting the password before sending so that sniffing won't work. But maybe I'm thinking way too hard  |
|||
 22.04.2008 02:22:19 |
|
|||
Z     |
I think it is related to the "name='csrf_key' VALUE='xxxx' .. part, but dunno what you can do with this... |
|||
 22.04.2008 07:40:01 |
|
|||
| unknown user |
o come on. some of the members here must have deved a serious website? |
|||
| 22.04.2008 07:44:29 |
|
|||
|
quangntenemy |
Hmm maybe lack of meta tags for SEO?  |
|||
|
22.04.2008 08:34:32 |
|
|||
| unknown user |
SEO has rarely ever interested me. |
|||
| 22.04.2008 10:09:00 |
|
|||
DigitalAcid   |
Sql injection ? Or change the method='post' to method='get' ? 8-) |
|||
 22.04.2008 10:56:04 |
|
|||
|
theAnswer |
/css.css, /favicon.ico, /login.php etc The slashes are waste... |
|||
|
22.04.2008 11:07:11 |
|
|||
EMail
private message
Website