1066 archery club website

Discuss the many weaknesses of browser security and ways to mitigate the threat

1066 archery club website

Post by timeout on Tue Dec 15, 2009 9:03 am
([msg=31394]see 1066 archery club website[/msg])

1066 archery club website

Post by timeout on Mon Dec 14, 2009 5:59 pm
(see 1066 archery club website)
can you guys try and hack it for me.

i will ask that in the spirit of me asking that if you do get in then just leave a small note and then tell me how you got in and how i can combat it in the future.

i am a newbie on here and am finding it both exciting and informative both from the hacking side and the security side of things.

if anyone wants to give it a go then feel free to try and as said let me know the outcome and fixes.

please no destructive hacks though guys, i'm here to learn too and i don't want the site perm knackered lol.

and for the mods, i am in charge of the website, henceforth i'm asking.

if a mod needs any further info then please pm me.





sorry goatboy i've just got in after work, i've added to the source code and here's a link to the site

http://www.1066archery.co.uk

hope that's ok for you m8.
timeout
New User
New User
 
Posts: 6
Joined: Mon Dec 14, 2009 12:19 pm
Blog: View Blog (0)


Re: 1066 archery club website

Post by sandsphinx on Tue Dec 15, 2009 12:19 pm
([msg=31396]see Re: 1066 archery club website[/msg])

Your website isnt really that vulnerable at all, i didnt find anything that led me to believe it was vulnerable, this is because the website is static, it really tbh hasn't got much code that can be vulnerable, i see that you have copied every .css and images and javascript.js into /page2/ which is weird, i dont understand why you didnt have it just go from ../javascript.js?
After i scanned your site, you have a few ports open, but i'm not that educated in rooting the server, thus i can't do anythin with this, i can tell others who will see this that ports:

PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp open smtp Imail smtpd
|_ smtp-commands: EHLO fatpromotions.com says hello, SIZE 0, 8BITMIME, DSN, ETRN, AUTH LOGIN CRAM-MD5, AUTH LOGIN, AUTH=LOGIN, EXPN
80/tcp open http Microsoft IIS webserver 6.0
|_ html-title: 1066 Archery Club : About The Club
110/tcp open pop3-proxy AVG pop3 proxy 8.5.401/8.5.427
|_ pop3-capabilities: USER EXPIRE(30 USER) UIDL TOP RESP-CODES PIPELINING IMPLEMENTATION(Ipswitch IMail 8 25) LOGIN-DELAY(120) SASL(LOGIN PLAIN CRAM-MD5)
143/tcp open imap IMail imapd 9.23
|_ imap-capabilities: IMAP4rev1 IMAP4 AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5
465/tcp closed smtps
587/tcp open submission?
|_ smtp-commands: EHLO fatpromotions.com says hello, SIZE 0, 8BITMIME, DSN, ETRN, AUTH LOGIN CRAM-MD5, AUTH LOGIN, AUTH=LOGIN, EXPN
8383/tcp open http Microsoft IIS webserver 6.0
10000/tcp open http Apache httpd


I will look into your submission? port, i've never seen one of them before, i hear its another SMTP port?
Um, i would say right now its pretty safe, but once you integrate PHP into it, and open javscript or directories, then you will become a little less safe. There has to be a way to exploit this site, i just havent found it yet. Someone will find a way dont worry... :D

PS: i noticed you had a robots.txt in your site, anyone know how to view that file?
Image
User avatar
sandsphinx
Poster
Poster
 
Posts: 206
Joined: Thu Mar 12, 2009 9:05 am
Blog: View Blog (0)


Re: 1066 archery club website

Post by faazshift on Tue Dec 15, 2009 12:49 pm
([msg=31398]see Re: 1066 archery club website[/msg])

Yeah, it looks pretty safe. I didn't see any robots.txt file, just a robots metadata directive. Besides the inherent issues with non-encrypted ftp, it looks like the most potentially vulnerability is the urchin cgi on port 10000. Just make sure all usernames and passwords for both ftp and urchin are secure and you are probably pretty safe. As far as I can tell, IIS 6 isn't all that vulnerable (though I would rather trust apache any day). This looks pretty safe, but maybe there is a way somehow, who knows.
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: 1066 archery club website

Post by timeout on Tue Dec 15, 2009 1:23 pm
([msg=31400]see Re: 1066 archery club website[/msg])

cheers m8, passwords and logins are as secure as i can get them so hopefully it'll be all ok.

thanks for trying.
timeout
New User
New User
 
Posts: 6
Joined: Mon Dec 14, 2009 12:19 pm
Blog: View Blog (0)


Re: 1066 archery club website

Post by yourmysin on Thu Dec 17, 2009 10:34 pm
([msg=31537]see Re: 1066 archery club website[/msg])

I would like to point out something:

Previously the rule was never to allow websites to be posted with request for hacking. Providing a comment as goatboy indicated seems to provide verification that the website is, as you suggest, your own.

This is Not an accurate means of authentication and should not be followed. What if, for instance, the user was able to gain write access to the sites source code, or maybe was even able to social engineer the true owner to add that comment?
A+, Network+, MCTS(70-620), Security+, CCNA
yourmysin
Experienced User
Experienced User
 
Posts: 83
Joined: Mon Apr 21, 2008 9:02 pm
Location: Newport, Maine, USA
Blog: View Blog (0)


Re: 1066 archery club website

Post by Goatboy on Thu Dec 17, 2009 10:38 pm
([msg=31538]see Re: 1066 archery club website[/msg])

yourmysin wrote:I would like to point out something:

Previously the rule was never to allow websites to be posted with request for hacking. Providing a comment as goatboy indicated seems to provide verification that the website is, as you suggest, your own.

This is Not an accurate means of authentication and should not be followed. What if, for instance, the user was able to gain write access to the sites source code, or maybe was even able to social engineer the true owner to add that comment?

If that's the case, they site is already compromised and it is a moot point. You make a good case, but it's impractical to verify things to such an extreme.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2865
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: 1066 archery club website

Post by timeout on Fri Dec 18, 2009 7:28 am
([msg=31544]see Re: 1066 archery club website[/msg])

yourmysin wrote:I would like to point out something:

Previously the rule was never to allow websites to be posted with request for hacking. Providing a comment as goatboy indicated seems to provide verification that the website is, as you suggest, your own.

This is Not an accurate means of authentication and should not be followed. What if, for instance, the user was able to gain write access to the sites source code, or maybe was even able to social engineer the true owner to add that comment?


sorry if i caused any arguments, that was not my intention.

as i said i'm a noob and just complied with what i was instructed to do.

if it is against the rules then please remove all offending posts.

thanks
timeout
New User
New User
 
Posts: 6
Joined: Mon Dec 14, 2009 12:19 pm
Blog: View Blog (0)


Re: 1066 archery club website

Post by faazshift on Fri Dec 18, 2009 11:27 am
([msg=31556]see Re: 1066 archery club website[/msg])

timeout wrote:sorry if i caused any arguments, that was not my intention.

as i said i'm a noob and just complied with what i was instructed to do.

if it is against the rules then please remove all offending posts.

thanks

No, your fine. As goatboy said, this method of verification is perfectly reasonable.
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: 1066 archery club website

Post by tgoe on Thu Dec 24, 2009 10:25 pm
([msg=31895]see Re: 1066 archery club website[/msg])

I kinda agree with yourmysin that this sort of thing could be bad. Suppose someone does hack a site and posts a request here pretending to be the owner... suddenly an illegally hacked computer's logs are full of Referer:hts and hts user ip addresses :(


Having said that... I actually took a look xD
Even though your site is completely static php is installed and is active. That's probably a bad idea too. Turn off everything that you don't need.
User avatar
tgoe
Contributor
Contributor
 
Posts: 718
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: 1066 archery club website

Post by sanddbox on Thu Dec 24, 2009 11:05 pm
([msg=31898]see Re: 1066 archery club website[/msg])

[quote="tgoe"]I kinda agree with yourmysin that this sort of thing could be bad. Suppose someone does hack a site and posts a request here pretending to be the owner... suddenly an illegally hacked computer's logs are full of Referer:hts and hts user ip addresses :(/quote]

Yes, that would be bad. But if the site is already hacked it doesn't matter. HTS Users enter the website at their own risk.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2344
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests