A Website Vulnerable to Hackers

I found a pretty cool site while browsing Facebook, I don’t want to give any identifying information that might get them hacked so I’ll just say they stand for something I do as well. I found their site to be deadly vulnerable to several methods of hacking so I wanted to let them know. I sent them email. I rarely do this, I’ve done it a few times for some sites that I think needed help and support a good cause. This was one of them.

The best way I found to go about it was here, below is the email, below that is the picture I uploaded to my Facebook. (***** and the red lines are censoring information that could identify the site.)


Hey guys,

(Included President because of seriousness, but mainly for Webmaster)

Just emailing you to let you know your site has several vulnerabilities that could be easily exploited by a hacker. I found your site on the ***** ****** facebook page. I *********** ****** *******. ******** ******.

But with all that aside, I would say you need to immediately fix these vulnerabilities. Your site has a bit more visibility now and someone that would want to, could easily take down your site, get root, upload viruses to exploit your users, and much worse.

If you can't fix these vulnerabilities, I would honestly take the site down completely, back everything up, then remove it from the server, and replace everything with a single HTML file that says the site is "Underconstruction - Follow us on Facebook or Email us for questions." or something like that.

It's really not a joke at all and I would take this advice.

Okay so the biggest and most dangerous vulnerability I was able to find is a file inclusion inside your default.php file. Code in the file allows for remote inclusion of other files from external websites, and also allows for me to browse every file on your system. The best way to defend against this is by parsing out any / and periods and also only allow local files from a single directory.

Also, you have a bunch of folders that aren't holding much and are not needed.

And finally some XSS vulnerabilities.

If you need help, let me know.

Keep up the great work. ********** ******* ******* ******** *****. ******** ******* ***** ******** ******* ****.

-Brandon

Posted in Computers, My Life

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>