Off topic[ended - no winners] QUIZ: what's wrong with this part of the wechall website| Author | Post | |||
| unknown user |
you guys are killing me here. |
|||
| 22.04.2008 11:17:47 |
|
|||
Visualq   |
I do develop websites on regular base, but the fact that this code is exploitable makes me wanna revise my own code once I know what's wrong with it. (which I don't  ) |
|||
 22.04.2008 14:42:47 |
|
|||
| unknown user |
yeah it pains me, that all the geeks here don't immediately spot this. While it's them who will be writing websites all over the globe. But hey, if nobody knows, ... i guess it's safe. |
|||
| 22.04.2008 15:07:54 |
|
|||
| unknown user |
so we are all done guessing? |
|||
| 22.04.2008 20:58:29 |
|
|||
sniperkid         |
tbh i've never messed a site up before....well not intentionally  |
|||
 22.04.2008 21:03:38 |
|
|||
|
MonkeyMan2000 |
Would it happen to be with the value of the checkbox or something to do with the classes This is a hard puzzle, and would love to hear the result |
|||
|
22.04.2008 21:04:47 |
|
|||
| unknown user |
well the title tag of this website  Quote:<title>TheBlacksheep at www.bright-shadows.net: Internet Security Challenges, Network security, Computer security - Community</title> has this rather interesting part "Internet Security Challenges" In it's title, so it's allowed to be hard. (Btw internet security got a lot more complex since most of the challenges here were written. Somebody should upgrade that category to this century. and the web2.5 stuff and beyond. Bah, I'm always taking flack for releasing information, I'm going to make you guys sweat for it a bit more. Who knows perhaps somebody will come round and get it. The checkbox, however, is not what I'm after. You guys have been fishing pretty methodically, mentioning pretty much everything that is there and some things that aren't; |
|||
| 22.04.2008 21:37:11 |
|
|||
quangntenemy           |
Ah. Found it! The code uses single quotes instead of double quotes. It poses an XSS threat because many people tend to filter out double quotes to prevent XSS but forget to filter single quotes also. If you have a look at  xssed.com you'll see it's a very common mistake. |
|||
 23.04.2008 00:50:14 |
|
|||
| unknown user |
You did not find it. However what you are saying is true, though I already mentioned that, and they said they "fixed" that. look here: http://bright-shadows.net/forum/forum_showtopic.php?topicid=3000 Despite what people like to believe, I'm not attention whoring the same issue twice. this issue is because people don't use the ENT_QUOTES, and for some reason it's not default. Some people know this, others just think magic_quotes fixes all. Furthermore it is through that the current standard states that all tags are lowercase, and you use the " for the values. Yet this doesn't interest me as much today. I'm looking for a problem concerning security that I haven't mentioned yet. So go, Round 3 |
|||
| 23.04.2008 02:26:11 |
|
|||
|
DigitalAcid |
I guess the "Bind IP" thing could be exploitable. |
|||
 23.04.2008 10:19:43 |
|
|||
EMail
private message
Website