Quote:
|
Originally Posted by Mylt1
M4CK site looks good. several forums i am on use post nuke and have been hacked in the last few weeks. the weak spot seems to be photos. dont know how yet but thats how they are getting there code in.
|
Thats simple, they name an image jpg/png/bmp/what ever image type. then as the server parses it (and mind you this is part of the insecurity of using variable calls to your database), then you go to that link directly the server exicutes the code, and boom you have access to where one shouldnt.
there are several remedies to this, one is a recode of the user levels, changing the numbers around so that admin isn't 1 or 8 or what ever comes as default. another is to have a an outside program such as imagemagick parsing the image files. unfortunatly... most dont have access enough to a server to install or use imagemagick, hell some web apps won't even use it.
and ofcourse you can go through the code and change the variable calls to the database, that would eliminate the script kiddies from using a "tool" to exploit vulnerabilities.
__________________
"When we just look up at the stars, we see the same vista that our ancestors did. The night sky has been observed by people of all cultures and of all ages. It's the only part of our environment that has been common to all humans, wherever and whenever they've lived on this Earth. So that makes it rather special. Whenever we scan the sky, we are partaking of one of the very few things we share with all human beings. "- Martin Rees
06 SE KC 6M Silver: Grounding Kit, Flowmaster 50 series SUV, AMI Black 6" stubbie antenna, Rockford Fosgate Punch 225.2 bridged to 12" Diamond Audio sub, Kenwood DDX7019 Head unit. Now I drive around and go boom.
-->
<-- favorite emote
