|
|
|
HTML security, hack this!
|
Original Message
|
Name: Leo2k7
Date: February 27, 2004 at 18:53:34 Pacific
Subject: HTML security, hack this!OS: Windows XP ProCPU/Ram: P4 2.6 GHz / 1 GB RAM / R |
Comment: https://webspace.utexas.edu/lel65/documents/Test.html I expect it shouldnt be that hard for the more experienced.
If you can get through, please tell me how you did it
Oh and I also noticed that if you get rid of the /Test.html part, people can see the list of files on my FTP. How do I stop them from being able to do that? I want them to have to log in to see the files and am testing this encryption program called HTML password pro right now.
What I want is to not even let you see sceduelepic.jpg, test.html or squirrels-superlowres.gif.
I want it to go directly to Test.html if you go to /lel65/documents or /lel65 Is there a way to do it?
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: Code One
Date: February 27, 2004 at 19:34:47 Pacific
Subject: HTML security, hack this!
|
Reply: (edit)to about 95% of people your safe, but to the other 5% your screwed and there is nothing you can do about it... i will try to hack your ftp later, since you gave us permission.. thanks
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: Don Arnett
Date: February 27, 2004 at 22:37:23 Pacific
Subject: HTML security, hack this! |
Reply: (edit)If your webserver is Apache, there is a setting to not allow people to see the list of files. I don't remember what the setting is called. If you don't have the option of changing that setting, just put an index.html file in every directory. I would suggest changing Test.html to index.html. That would take care of the /documents directory. Then in the /lel65 directory, put an index.html that does an automatic redirect to the documents directory.
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: Leo2k7
Date: February 27, 2004 at 23:40:34 Pacific
Subject: HTML security, hack this! |
Reply: (edit)Ok, Test.html has been changed to index.html for those looking for the page to hack.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: anonproxy
Date: February 28, 2004 at 01:20:06 Pacific
Subject: HTML security, hack this! |
Reply: (edit)Security through obscurity. I used a debugger. I set one breakpoint, then reloaded the page. Everything is in the original source file. The page returns to itself when the correct username (USER123) and password (U1TEXAS0) are entered. You just get:
"
This is a test. testing...
[a bar] ...123
" You can view the readable code here and read a short explanation of the password (and other) encoding here. I didn't look, but a cookie is probably used to bypass the normal run and give you your prize. The original file in all its convoluted glory is here. Go ahead, login.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: anonproxy
Date: February 28, 2004 at 01:38:19 Pacific
Subject: HTML security, hack this! |
Reply: (edit)Somebody else try. Not a lot has changed in index.html. You do get a new message though: "
Congratulations, you got through ;) Now please tell me how you did it and how I can prevent it. Thanks!
" You can't. Nothing is hidden. Your host is running Jakarta - do they support Tomcat (JSP)?
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: CodeOne
Date: February 28, 2004 at 01:47:41 Pacific
Subject: HTML security, hack this!
|
Reply: (edit)hahaha,,... I love it, yeah I took a look at the code and it is funny, like I said (even before looking at your source) 95% will be like WTF!!! and the other 5% will be like WTF LOL!!!! see the difference?
Report Offensive Follow Up For Removal
|
Use following form to reply to current message:
|
|
|
