[PHP] Please hack my app
Hi List, As this subject may start you wondering what the hell I'm thinking, let me clearify: I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12 months or so. It facilitates storage of DNA mutations and the corresponding patient data. Because patient data is involved, privacy is very important. Now of course I read lots of pages on SQL injection and whatnot, and I strongly believe my application is protected from this kind of abuse. However, believing is not enough. I've had some comments in the past about security (previous version of the software) and although I didn't agree to the critic, I want to be able to say the new app went though various forms of attacks. This month, I want to release 2.0-alpha-01... *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! If you feel like helping me out, it's located at http://chromium.liacs.nl/LOVDv.2.0-dev/ 1) Please try to get in. There's one account in the system, a database administrator, capable of doing anything. If you get in, you can easily create a new user using the setup tab. This will be the prove of you breaking my security rules. 2) Can you manage to view unpublic data? Using the Variants tab, you can see there is currently one entry in the database (with two mutations). This entry has a hidden column, called 'Patient ID'. There is a text-string in that column. If you can tell me what that string is, you win :) 3) Feel free to register as a submitter to see if that gives you any rights that you shouldn't have. A submitter is only capable of adding new data to the database (Submit tab), but that data will not be published immediately. 4) After a while, I will release login details of a curator account. This user is allowed to see non-public data and handle the specific gene, but NOT create new users or the like. If you have any questions, please ask. Thank you in advance for using your expertise for the good cause :) Regards, Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
This one time, at band camp, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! So, basically, you want _us_ to do _your_ bug checking?? Kevin -- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
Kevin Waterson wrote: This one time, at band camp, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! So, basically, you want _us_ to do _your_ bug checking?? And just in case you do find some mug willing to work for you for nothing, if you're going to be releasing the source you need to do that before asking them to find holes. Having the source code makes it a lot easier. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
On Wed, 22 Nov 2006 20:14:37 +1100, Kevin Waterson wrote: This one time, at band camp, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! So, basically, you want _us_ to do _your_ bug checking?? Hell No. I've done that myself (duh). I'm just not arrogant enough to think I tried everything that someone can think of. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
On Wed, 22 Nov 2006 09:53:00 +, Stut wrote: Kevin Waterson wrote: This one time, at band camp, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! So, basically, you want _us_ to do _your_ bug checking?? And just in case you do find some mug willing to work for you for nothing, if you're going to be releasing the source you need to do that before asking them to find holes. Having the source code makes it a lot easier. You're right. http://www.dmd.nl/LOVD/2.0/download.php?sent=true -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
Hey there, I dont mean to be a total pri*k about this, but unless you have created something that you are willing to share with others and others can use/modify for their requirements, and you grant them this privilege...I think the norm is you pay someone to do what you are asking. What you are asking for is pretty unfair, unless I am missing something? If on the other hand you have identified the part that troubling you, or getting unexpected results from a code segment... then post that as a new question/thread and from the kindness of someones heart, you might get an answer from them. :) Cheers! R -- - The faulty interface lies between the chair and the keyboard. - Creativity is great, but plagiarism is faster! - Smile, everyone loves a moron. :-) - Sponsored Link $200,000 mortgage for $660/mo - 30/15 yr fixed, reduce debt, home equity - Click now for info
Re: [PHP] Please hack my app
If you need your code audited ( or site hacked, or any other PHP security related stuff), and you have a budget for it. and if you can find him you can hire - Chris Shiflett. google for brainbulb. On 11/22/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Wed, 22 Nov 2006 09:53:00 +, Stut wrote: Kevin Waterson wrote: This one time, at band camp, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: *** THIS IS NOT ABOUT HACKING THE SERVER *** But about getting in the application when you're not allowed to! So, basically, you want _us_ to do _your_ bug checking?? And just in case you do find some mug willing to work for you for nothing, if you're going to be releasing the source you need to do that before asking them to find holes. Having the source code makes it a lot easier. You're right. http://www.dmd.nl/LOVD/2.0/download.php?sent=true -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
This one time, at band camp, Rory Browne [EMAIL PROTECTED] wrote: you can hire - Chris Shiflett. BWAHAHAHAHAHAHAHH I actually did laugh... -- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
Kevin Waterson wrote: This one time, at band camp, Rory Browne [EMAIL PROTECTED] wrote: you can hire - Chris Shiflett. BWAHAHAHAHAHAHAHH I actually did laugh... why you laugh =) -- Angelo Zanetti Systems developer *Telephone:* +27 (021) 469 1052 *Mobile:* +27 (0) 72 441 3355 *Fax:*+27 (0) 86 681 5885 * Web:* http://www.zlogic.co.za *E-Mail:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
On Wed, 22 Nov 2006 03:20:16 -0800, Ryan A wrote: Hey there, I dont mean to be a total pri*k about this, but unless you have created something that you are willing to share with others and others can use/modify for their requirements, and you grant them this privilege...I think the norm is you pay someone to do what you are asking. It's GPL. I mentioned that and the source is available (just follow the link and download). I asked *kindly* if anyone wanted to take their time and toss something at it. If no-one wanted to take a look at it, fine, sorry to bother you. If someone wants to, thanks a bunch for your time. I didn't expect anyone to dive deeply into the source code of my project and filter out my mistakes. Just trying a few well-known (possibly not by me) methods would do. I tried anything I could think of, and it didn't break. After my question someone already kindly pointed out I didn't check for HTML code (and thus allowed JS injection). Something to fix in the next release :) What you are asking for is pretty unfair, unless I am missing something? I didn't realize someone may see this as unfair. So my apologies if any interpretation of my question was not received positively. :) I meant no harm in any way. If on the other hand you have identified the part that troubling you, or getting unexpected results from a code segment... then post that as a new question/thread and from the kindness of someones heart, you might get an answer from them. :) I know how the list works, thanks :D There are no known problems at the time. Just wanted to check if anyone thought of something I hadn't thought of. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
Ivo F.A.C. Fokkema wrote: On Wed, 22 Nov 2006 03:20:16 -0800, Ryan A wrote: Hey there, I dont mean to be a total pri*k about this, but unless you have created something that you are willing to share with others and others can use/modify for their requirements, and you grant them this privilege...I think the norm is you pay someone to do what you are asking. It's GPL. I mentioned that and the source is available (just follow the link and download). I asked *kindly* if anyone wanted to take their time and toss something at it. If no-one wanted to take a look at it, fine, sorry to bother you. If someone wants to, thanks a bunch for your time. I didn't expect anyone to dive deeply into the source code of my project and filter out my mistakes. Just trying a few well-known (possibly not by me) methods would do. I tried anything I could think of, and it didn't break. After my question someone already kindly pointed out I didn't check for HTML code (and thus allowed JS injection). Something to fix in the next release :) What you are asking for is pretty unfair, unless I am missing something? I didn't realize someone may see this as unfair. So my apologies if any interpretation of my question was not received positively. :) I meant no harm in any way. If on the other hand you have identified the part that troubling you, or getting unexpected results from a code segment... then post that as a new question/thread and from the kindness of someones heart, you might get an answer from them. :) I know how the list works, thanks :D There are no known problems at the time. Just wanted to check if anyone thought of something I hadn't thought of. Ivo I think some guys like trying to hack and break other's sites so Im sure those people will respond. guys I think we need to relax abit and not attack the guy so much! my 2 cents worth cheers -- Angelo Zanetti Systems developer *Telephone:* +27 (021) 469 1052 *Mobile:* +27 (0) 72 441 3355 *Fax:*+27 (0) 86 681 5885 * Web:* http://www.zlogic.co.za *E-Mail:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Please hack my app
guys I think we need to relax a bit and not attack the guy so much! I agree. Ivo, have you tried Chorizo? http://chorizo-scanner.com/ Edward -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Please hack my app
On Wed, 22 Nov 2006 13:37:43 +, Edward Kay wrote: guys I think we need to relax a bit and not attack the guy so much! I agree. Ivo, have you tried Chorizo? http://chorizo-scanner.com/ Thanks Angelo Edward! Chorizo looks good, especially the Morcilla extension mentioned on the website... I will try the free version first, see if that finds anything. I'll check with my boss to see if he wants to spend 289 on a one-year license for the standard version... Thanks for the suggestion! Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Please hack my app
Angelo Zanetti wrote: Kevin Waterson wrote: This one time, at band camp, Rory Browne [EMAIL PROTECTED] wrote: you can hire - Chris Shiflett. BWAHAHAHAHAHAHAHH I actually did laugh... why you laugh =) because rory spoofed the intro to the 'A-Team'. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Please hack my app
angelo. it appears from the responses on the list, that different people want the list to work as they believe it should. hell, this is an email list. if somebody posts something that you don't appreciate, ignore it, delete it, the topic will go away. on the other hand, somebody might actually respond to the post that you are offended by... so, perhaps we all need to be more laid back in how we deal with things... peace -Original Message- From: Angelo Zanetti [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 5:09 AM To: Ivo F.A.C. Fokkema Cc: php-general@lists.php.net Subject: Re: [PHP] Please hack my app Ivo F.A.C. Fokkema wrote: On Wed, 22 Nov 2006 03:20:16 -0800, Ryan A wrote: Hey there, I dont mean to be a total pri*k about this, but unless you have created something that you are willing to share with others and others can use/modify for their requirements, and you grant them this privilege...I think the norm is you pay someone to do what you are asking. It's GPL. I mentioned that and the source is available (just follow the link and download). I asked *kindly* if anyone wanted to take their time and toss something at it. If no-one wanted to take a look at it, fine, sorry to bother you. If someone wants to, thanks a bunch for your time. I didn't expect anyone to dive deeply into the source code of my project and filter out my mistakes. Just trying a few well-known (possibly not by me) methods would do. I tried anything I could think of, and it didn't break. After my question someone already kindly pointed out I didn't check for HTML code (and thus allowed JS injection). Something to fix in the next release :) What you are asking for is pretty unfair, unless I am missing something? I didn't realize someone may see this as unfair. So my apologies if any interpretation of my question was not received positively. :) I meant no harm in any way. If on the other hand you have identified the part that troubling you, or getting unexpected results from a code segment... then post that as a new question/thread and from the kindness of someones heart, you might get an answer from them. :) I know how the list works, thanks :D There are no known problems at the time. Just wanted to check if anyone thought of something I hadn't thought of. Ivo I think some guys like trying to hack and break other's sites so Im sure those people will respond. guys I think we need to relax abit and not attack the guy so much! my 2 cents worth cheers -- Angelo Zanetti Systems developer *Telephone:* +27 (021) 469 1052 *Mobile:* +27 (0) 72 441 3355 *Fax:*+27 (0) 86 681 5885 * Web:* http://www.zlogic.co.za *E-Mail:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php