Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

How Secure is your application?

Discussion in 'Tech, Gadgets & Science Forum' started by HT, Jul 30, 2011.

  1. HT

    HT JF-Expert Member

    #1
    Jul 30, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    Many here try coding, and reading from forum posts it seems people are enthusiastic of learning programming web apps.
    Funny or rather pity it is, to see them either knowingly or unknowingly ignore the design part especially security. Holes can be found that can be found in many apps from trusted apps. Here is a vivid example from our beloved JF, just one of the issues with many Tanzania (and of course other countries). Either negligence or ignorance!

    Server information for JF (some are hidded for ethical reasons, since I wanted this to be just example not exposing JF to risk)
    [TABLE]
    [TR]
    [TD="class: e"]Apache Version [/TD]
    [TD="class: v"]Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.16 [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Apache API Version [/TD]
    [TD="class: v"]20051115 [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Server Administrator [/TD]
    [TD="class: v"]webmaster@jamiiforums.com [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Hostname:port [/TD]
    [TD="class: v"]jamiiforums.com:0 [/TD]
    [/TR]
    [TR]
    [TD="class: e"]User/Group [/TD]
    [TD="class: v"]xxxxxxxx
    [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Max Requests [/TD]
    [TD="class: v"]Per Child: 650 - Keep Alive: on - Max Per Connection: 100 [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Timeouts [/TD]
    [TD="class: v"]Connection: 300 - Keep-Alive: 5 [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Virtual Server [/TD]
    [TD="class: v"]Yes [/TD]
    [/TR]
    [TR]
    [TD="class: e"]Server Root [/TD]
    [TD="class: v"]/usr/local/apache
    [/TD]
    [/TR]
    [/TABLE]

    So question is, how secure is your app?
     
  2. Kang

    Kang JF-Expert Member

    #2
    Jul 30, 2011
    Joined: Jun 24, 2008
    Messages: 4,698
    Likes Received: 204
    Trophy Points: 160
    Ok, so where is the security hole? That is just basic server info.
     
  3. whizkid

    whizkid Senior Member

    #3
    Jul 30, 2011
    Joined: Aug 2, 2010
    Messages: 166
    Likes Received: 2
    Trophy Points: 35
    To the best of my security knowledge I don't really see any serious security holes here, as far as JF's code is concerned. AFAIK, JF is running on vBulletin. Did you notice any holes from its core code or plugins that would signal any alarms? Why don't you share those vulnerabilities? And are you talking about server security or webapps? I was hoping you would put down a relevant example from an actual webapp or something like that.

    I believe most JF members (especially in the tech forums) are genuinely enthusiastic individuals, ready to learn new tricks and inspire others as well. Some are just honest individuals, looking for solutions to their technology-related problems, believing that JF has experienced members who can answer their questions. Some are just critics. Some are just looking for a good read. Everyone is getting their share, depends on what you are looking for! Be smart about that when at it!

    As far as programming is concerned, holes or bugs are irresistible to say the least. Not only because of ignoring the "design parts" as you put it, but in many cases by attempting to follow it as it is. Programming best practices are better learnt from experienced programmers. Forums only provides the platform for these groups to meet, the experienced and the not.

    I don't work for JF, but I challenge you to post these "security holes" here or at least describe them to prove your point. Or maybe at least let us know why you think the server info you posted is a security concern. Thank you.
     
  4. HT

    HT JF-Expert Member

    #4
    Jul 30, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    <br />
    <br />
    duh! First of all you have all missed my point! It wasn't attacking JF but security of our apps. As far as JF is concerned, exposing server config and variables is widens attacking surface. I cannot post all info, but I will PM Mods and once they assure me I can proceed and post. Meanwhile, let us discuss How secure is your app?
     
  5. HT

    HT JF-Expert Member

    #5
    Jul 30, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    another thing, even Vbuletin can be hacked as you have said, nothing is 100% secure. Eg those still using version3 can easily be hacked. The best part of VB is that holes are fixed quickly!
     
  6. ndetichia

    ndetichia JF-Expert Member

    #6
    Jul 30, 2011
    Joined: Mar 18, 2011
    Messages: 27,534
    Likes Received: 120
    Trophy Points: 160
    mkuu unaonekana unapenda sana kujua vitu vinafanyaje kazi kijana we kweli ni hacker kiana
     
  7. Kang

    Kang JF-Expert Member

    #7
    Jul 30, 2011
    Joined: Jun 24, 2008
    Messages: 4,698
    Likes Received: 204
    Trophy Points: 160
    You said this is a vivid example, but your data shows no holes, simply knowing what versions of software they run is not a security hole. You should have shown
    A) That those versions have known security holes and
    B) That those holes have not been fixed on JF

    Basically you have nothing.
     
  8. HT

    HT JF-Expert Member

    #8
    Jul 31, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    Hahaaa! You are too critical and you have missed the point.
    That now invisible have fixed things we can discuss. As developers we forget things that exposes us to security problems. The installation folder used by JF was not deleted/restricted from direct access. Though somehow one could not access install.php he could access upgrade.php
    The file require user/customer number. so as you can see, security have been narrowed to customer number. I'm not familiar with VB customer number but one using VB can well be familiar and can do brute force attack for number of days and might well penetrate the site.

    Another dangerous thing is a file test.php that coder forgot to delete and it provided not only server info but some FTP info. Although it was not very big deal but it gives the hacker a clue of the whole environment settings of the server and hence starting point and basic info he should not have. So again for someone seriously, would use the information as starter.

    Security wise JF is very strong (well updated), but in security, one finds the weakest point to penetrate the system. If you are strong and you introduce the surfaces like above, you weaken the strength of your system.....
    enough for now :)
    HT
     
  9. HT

    HT JF-Expert Member

    #9
    Jul 31, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    And Invisible is very responsive...bravo Mr. Robot!
     
  10. HT

    HT JF-Expert Member

    #10
    Jul 31, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    :rapture::car::boom:
     
  11. whizkid

    whizkid Senior Member

    #11
    Aug 1, 2011
    Joined: Aug 2, 2010
    Messages: 166
    Likes Received: 2
    Trophy Points: 35
    HT,

    This makes more sense now. I would say this type of information would only make one interested in digging deeper for serious/actual server vulnerabilities but it doesn't really expose vBulletin's vulnerabilities. If you have the time, you can obtain this information with the help of other hacking tools. I don't have the time to do a nikto and nmap scan on JF at the moment, but if you know what am talking about try it and see if there is anything interesting. Maybe we can extend this topic and help JF developers in the process.
     
  12. HT

    HT JF-Expert Member

    #12
    Aug 1, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    whizkid,
    glad now you got my point.
    Now let us discuss how secure are many apps here coded in our land. There is another site that is being coded as far as I can see where you can not only see files but download them also. Why is that our webs (a part from spoon feed like drupal, joomla et al) are insecure?
    Coders, how secure is your application?
     
  13. HT

    HT JF-Expert Member

    #13
    Aug 1, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    whizkid,
    I wanted to do port scanning but time was not on my side too. It is good and encouraging though to see JF admin try to keep up with latest VB, which reduces security flaws. There arent many webs with same spirit
     
Loading...