Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 16

Thread: passwords

  1. #1
    Senior Member solidgold's Avatar
    Join Date
    Jun 2006
    Posts
    766
    Member #
    13373
    please would somebody try to gain access to my little password protected page, if you get in, tell me what the message is and also how you did it.
    this sounds like a weird game but i want to see how effective my password protection script is!
    http://ebook.aesthetic-design.co.uk/password.html

  2.  

  3. #2
    Senior Member Eddy Bones's Avatar
    Join Date
    Jan 2004
    Location
    Washington, USA
    Posts
    1,054
    Member #
    4651
    Probably wouldn't be able to hack it even if we wanted to:
    Warning: Cannot modify header information - headers already sent by (output started at /home/www/ebook.aesthetic-design.co.uk/check.php:9) in /home/www/ebook.aesthetic-design.co.uk/check.php on line 14

  4. #3
    Senior Member solidgold's Avatar
    Join Date
    Jun 2006
    Posts
    766
    Member #
    13373
    haha grand
    it only works if you get the password right!

  5. #4
    Senior Member leprechaun13's Avatar
    Join Date
    May 2005
    Location
    Northampton
    Posts
    487
    Member #
    10058
    hurmm let me see... youve foiled my methods of using the CuteFTP manually download feature
    Regards Phil,


  6. #5
    Senior Member leprechaun13's Avatar
    Join Date
    May 2005
    Location
    Northampton
    Posts
    487
    Member #
    10058
    Very good system i cant get in by any means i can think of
    Regards Phil,


  7. #6
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    It might not help me, but you should at least have it display a proper error message ("access denied").

    I have an attack in mind where there's a high degree of probability for success given it exploits a very common and very dangerous bug people make, but without even a useful error message...
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  8. #7
    Senior Member solidgold's Avatar
    Join Date
    Jun 2006
    Posts
    766
    Member #
    13373
    to be honest, im surprised that its foiled so many people! its at least confirmed that its alright for protecting stuff

  9. #8
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    It hasn't foiled anybody as I interpret it because it's broken. A fatal PHP error doesn't mean somebody was denied access, it means instead your code did one level better than outright crashing (not possible with a PHP script).

    I'll make actual white-hat attempts to break in once there are two possibilities for entering a password:
    1. The correct password is entered, and whatever message that's relevant is displayed.
    2. An incorrect password is entered, and an "access denied" or similar message appears, not a PHP error.

    Indeed, the PHP warning itself gives hackers better chances at breaking in, particularly with directory traversal attacks, given they now know the exact path to the PHP script in question.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  10. #9
    Senior Member solidgold's Avatar
    Join Date
    Jun 2006
    Posts
    766
    Member #
    13373
    sounds like somebody is getting frustrated...

    the php error is fake! its just to wind people up to be honest! if you get an error, you automatically start to give up

  11. #10
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    It's a matter of usability. A PHP error should never, ever, ever, ever, ever appear on your site, fake or not. Show the user access was denied. All you did is tempt hackers more, thinking they just got a path to your script on the server.

    Anyway, the argument is pointless because proving the security of it doesn't come from random attempts to break in, but rather seeing how the code works, or at least general concepts (checking against a database, a file, a hard-coded string, etc.).

    And worst of all, it's not over SSL, so the point is moot if somebody sniffs the packets.

    (Yes, WDF v5 isn't over SSL either, and I qualified that with "v5" for a reason)
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:27 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com