Hi List, As this subject may start you wondering what the hell I'm thinking, let me clearify:
I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12 months or so. It facilitates storage of DNA mutations and the corresponding patient data. Because patient data is involved, privacy is very important. Now of course I read lots of pages on SQL injection and whatnot, and I strongly believe my application is protected from this kind of abuse. However, believing is not enough. I've had some comments in the past about security (previous version of the software) and although I didn't agree to the critic, I want to be able to say the new app went though various forms of attacks. This month, I want to release 2.0-alpha-01... *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! If you feel like helping me out, it's located at http://chromium.liacs.nl/LOVDv.2.0-dev/ 1) Please try to get in. There's one account in the system, a database administrator, capable of doing anything. If you get in, you can easily create a new user using the setup tab. This will be the prove of you breaking my security rules. 2) Can you manage to view unpublic data? Using the Variants tab, you can see there is currently one entry in the database (with two mutations). This entry has a hidden column, called 'Patient ID'. There is a text-string in that column. If you can tell me what that string is, you win :) 3) Feel free to register as a submitter to see if that gives you any rights that you shouldn't have. A submitter is only capable of adding new data to the database (Submit tab), but that data will not be published immediately. 4) After a while, I will release login details of a curator account. This user is allowed to see non-public data and handle the specific gene, but NOT create new users or the like. If you have any questions, please ask. Thank you in advance for using your expertise for the good cause :) Regards, Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
