2 Einträge mit diesem Tag
Hundreds of thousands -- and possibly millions -- of websites have been hit with a cyberattack that some are calling "one of the biggest mass-injection attacks we've ever seen."
A huge SQL-Injection Attack is happening right now.continue reading „LizaMoon - a Mass-Injection Cyberattack“
... is some weird kind of minimalistic Hipster-CMS for designers, artists, grandmas or all kind of hip people. I wont put a link up here for pagerank reasons and because as the title sais: It's a piece of crap! People, who know me, know that i dont have any respect for that Hipster/Artish-Field. Anyhow, so when I first saw a website build with it I was like "lol i have to take a look at that things source code". So i downloaded the "latest" (see below) release and started laughing. This is the top 7 List i strongly advise you or any inteligent individual to not use this piece of software and furthermore why.
It seems to me that some kid or designer female has written that stuff because every line of code as banal as you can think it is, is commented (im serious!). Ok, i'm a documentation fan, but the comments are kind of childisch in some way. You can jumpstart at a conclusion about this software yourself. Here are my favorite ones:
The software is totally deprecated. Im not speaking about the use of the (very) old mysql Library in php. No! The software is so old, that i cannot even install it on my windows machine with the newest xampp-Version. And even after 30 minutes of fiddling i get around 3-4 deprecated-notices on each page
The software seems to follow some paradigmas (some pseudo object oriented structure) but fails in implementation (unlogical). Also there are some sort of Don'ts and some general error in reasoning.
A few Examples:I really dont understand this reference: If someone could explain this variable to me, i'd be pleased. (And this comment is also funny because it proves my point that EVERYTHING is commented...) Oncall Array Initialisation ($adm = null; before), every C/C++ Programmer's Brain would probably explode now at the latest. And just a another fail: oh speaking of set_magic_quotes_runtime is also deprecated, but is just a design fail.
The latest version was released back in 2008. The Forum is not really active, so you cannot really call it a community. There are no code guidelines, whatsoever. But amazingly there are still people using it.
I just say: Applying a XHTML 1.0 Transitional Doctype to an HTML Template does not make it XHTML 1.0 Transitional!!!
The install.php script remains on the server, there are no checks whether it has been renamed or delted. You can easily overwrite the site's configuration file with your own rouge mysql server. I tested around 50 Indexhibit pages and in 70% the install.php file was still on the webspace. The reason for this is the people who actually use this CMS are Hipsters and dont know anything about tech at all.
While exploiting the login procedure itself turned out to be very tricky because of very restrictive regexes, you can see that it is completely cookie based, and an attacker could steal the cookie and use it to authenticate himself as an administrator. There is no User-Agent, IP-Validation. There is only a Two-Day-Cookie-Lifetime, which is not stored into the db, so you could use an old cookie to authenticate yourself.
Yes its 2011. We're reading about Data Leaks every day, so you should think that there would be a SQL-Injection security awareness by now, even on the Hipster side of the Planet. But unfortunately already in the routing-process in /index.php there is a SQL-Injection Vulnerability:
I like the //clean up the uri-comment, it could be interpreted almost ironically.
You could easily request:
/index.php?'=''AND(SELECT/*a*/*/*a*/FROM/*a*/ndxz_users/*a*/INTO/*a*/OUTFILE/*a*/'/www/yourpath/ndxz-studio/data.txt')/*a*/AND/*a*/''=' and dump the user database to a file or do other nasty things you could do with a sql-injection.
DO NOT USE IT!
PS: Dear Hipsters, why is small black (8-9px) text on a white page, with dotted hover state border-bottom so damn cool?