How Secure is your application?

HT

HT

JF-Expert Member
Jul 29, 2011
1,897
414
Many here try coding, and reading from forum posts it seems people are enthusiastic of learning programming web apps.
Funny or rather pity it is, to see them either knowingly or unknowingly ignore the design part especially security. Holes can be found that can be found in many apps from trusted apps. Here is a vivid example from our beloved JF, just one of the issues with many Tanzania (and of course other countries). Either negligence or ignorance!

Server information for JF (some are hidded for ethical reasons, since I wanted this to be just example not exposing JF to risk)
Apache Version Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.16
Apache API Version 20051115
Server Administrator webmaster@jamiiforums.com
Hostname:port jamiiforums.com:0
User/Group xxxxxxxx
Max Requests Per Child: 650 - Keep Alive: on - Max Per Connection: 100
Timeouts Connection: 300 - Keep-Alive: 5
Virtual Server Yes
Server Root /usr/local/apache

So question is, how secure is your app?
 
Ok, so where is the security hole? That is just basic server info.
 
To the best of my security knowledge I don't really see any serious security holes here, as far as JF's code is concerned. AFAIK, JF is running on vBulletin. Did you notice any holes from its core code or plugins that would signal any alarms? Why don't you share those vulnerabilities? And are you talking about server security or webapps? I was hoping you would put down a relevant example from an actual webapp or something like that.

I believe most JF members (especially in the tech forums) are genuinely enthusiastic individuals, ready to learn new tricks and inspire others as well. Some are just honest individuals, looking for solutions to their technology-related problems, believing that JF has experienced members who can answer their questions. Some are just critics. Some are just looking for a good read. Everyone is getting their share, depends on what you are looking for! Be smart about that when at it!

As far as programming is concerned, holes or bugs are irresistible to say the least. Not only because of ignoring the "design parts" as you put it, but in many cases by attempting to follow it as it is. Programming best practices are better learnt from experienced programmers. Forums only provides the platform for these groups to meet, the experienced and the not.

I don't work for JF, but I challenge you to post these "security holes" here or at least describe them to prove your point. Or maybe at least let us know why you think the server info you posted is a security concern. Thank you.
 
whizkid said:
To the best of my security knowledge I don't really see any serious security holes here, as far as JF's code is concerned. AFAIK, JF is running on vBulletin. Did you notice any holes from its core code or plugins that would signal any alarms? Why don't you share those vulnerabilities? And are you talking about server security or webapps? I was hoping you would put down a relevant example from an actual webapp or something like that.<br />
<br />
I believe most JF members (especially in the tech forums) are genuinely enthusiastic individuals, ready to learn new tricks and inspire others as well. Some are just honest individuals, looking for solutions to their technology-related problems, believing that JF has experienced members who can answer their questions. Some are just critics. Some are just looking for a good read. Everyone is getting their share, depends on what you are looking for! Be smart about that when at it! <br />
<br />
As far as programming is concerned, holes or bugs are irresistible to say the least. Not only because of ignoring the &quot;design parts&quot; as you put it, but in many cases by attempting to follow it as it is. Programming best practices are better learnt from experienced programmers. Forums only provides the platform for these groups to meet, the experienced and the not.<br />
<br />
I don't work for JF, but I challenge you to post these &quot;security holes&quot; here or at least describe them to prove your point. Or maybe at least let us know why you think the server info you posted is a security concern. Thank you.
Click to expand...
<br />
<br />
duh! First of all you have all missed my point! It wasn't attacking JF but security of our apps. As far as JF is concerned, exposing server config and variables is widens attacking surface. I cannot post all info, but I will PM Mods and once they assure me I can proceed and post. Meanwhile, let us discuss How secure is your app?
 
another thing, even Vbuletin can be hacked as you have said, nothing is 100% secure. Eg those still using version3 can easily be hacked. The best part of VB is that holes are fixed quickly!
 
HosannaTech said:
another thing, even Vbuletin can be hacked as you have said, nothing is 100% secure. Eg those still using version3 can easily be hacked. The best part of VB is that holes are fixed quickly!
Click to expand...

mkuu unaonekana unapenda sana kujua vitu vinafanyaje kazi kijana we kweli ni hacker kiana
 
  • Thanks
Reactions: HT
HosannaTech said:
Holes can be found that can be found in many apps from trusted apps. Here is a vivid example from our beloved JF, just one of the issues with many Tanzania (and of course other countries). Either negligence or ignorance!
Click to expand...

You said this is a vivid example, but your data shows no holes, simply knowing what versions of software they run is not a security hole. You should have shown
A) That those versions have known security holes and
B) That those holes have not been fixed on JF

Basically you have nothing.
 
Kang said:
You said this is a vivid example, but your data shows no holes, simply knowing what versions of software they run is not a security hole. You should have shown
A) That those versions have known security holes and
B) That those holes have not been fixed on JF

Basically you have nothing.
Click to expand...
Hahaaa! You are too critical and you have missed the point.
That now invisible have fixed things we can discuss. As developers we forget things that exposes us to security problems. The installation folder used by JF was not deleted/restricted from direct access. Though somehow one could not access install.php he could access upgrade.php
The file require user/customer number. so as you can see, security have been narrowed to customer number. I'm not familiar with VB customer number but one using VB can well be familiar and can do brute force attack for number of days and might well penetrate the site.

Another dangerous thing is a file test.php that coder forgot to delete and it provided not only server info but some FTP info. Although it was not very big deal but it gives the hacker a clue of the whole environment settings of the server and hence starting point and basic info he should not have. So again for someone seriously, would use the information as starter.

Security wise JF is very strong (well updated), but in security, one finds the weakest point to penetrate the system. If you are strong and you introduce the surfaces like above, you weaken the strength of your system.....
enough for now :)
HT
 
And Invisible is very responsive...bravo Mr. Robot!
 
HosannaTech said:
The installation folder used by JF was not deleted/restricted from direct access. Though somehow one could not access install.php he could access upgrade.php
The file require user/customer number. so as you can see, security have been narrowed to customer number. I'm not familiar with VB customer number but one using VB can well be familiar and can do brute force attack for number of days and might well penetrate the site.

Another dangerous thing is a file test.php that coder forgot to delete and it provided not only server info but some FTP info. Although it was not very big deal but it gives the hacker a clue of the whole environment settings of the server and hence starting point and basic info he should not have. So again for someone seriously, would use the information as starter.
HT
Click to expand...

HT,

This makes more sense now. I would say this type of information would only make one interested in digging deeper for serious/actual server vulnerabilities but it doesn't really expose vBulletin's vulnerabilities. If you have the time, you can obtain this information with the help of other hacking tools. I don't have the time to do a nikto and nmap scan on JF at the moment, but if you know what am talking about try it and see if there is anything interesting. Maybe we can extend this topic and help JF developers in the process.
 
whizkid,
glad now you got my point.
Now let us discuss how secure are many apps here coded in our land. There is another site that is being coded as far as I can see where you can not only see files but download them also. Why is that our webs (a part from spoon feed like drupal, joomla et al) are insecure?
Coders, how secure is your application?
 
whizkid,
I wanted to do port scanning but time was not on my side too. It is good and encouraging though to see JF admin try to keep up with latest VB, which reduces security flaws. There arent many webs with same spirit
 
You must log in or register to reply here.

Similar Discussions

Back
Top Bottom
Forums
New posts
Post thread
Back