standard software and its risk ;-)

I am always a little bit afraid of using standard and/or free web applications or modules. Everybody can figure out threads and attack your site

try

http://www.google.de/search?hl=de&q=SearchResult.aspx%3FCategoryID+&meta=

and then follow the first of this links and change the querystring to

SearchResult.aspx?CategoryID=asfdasdfsdf

you will get with diffrent sites often the same result. Trace and full error message is enabled. It seems that this product (http://www.storefront.net/) is preinstalled with this settings. If your are lacy seek for StoreFront.BusinessRule.CCustomer

Broken at least 3 rules for secure web applications.

Published Wednesday, April 19, 2006 4:14 PM by preishuber

Comments

# re: standard software and its risk ;-)

Wednesday, April 19, 2006 12:39 PM by Mod
Yes, and not to speak about to use IIS as a web-server. When an exploit for IIS is discoverd everybody can attack your website ;)

To be honest, if you know what you are doing it is not less safe to use an open component rather than a closed or selfwritten one...

# re: standard software and its risk ;-)

Wednesday, April 19, 2006 1:36 PM by nick
breaking the page and attacking the server are 2 rather different things.

wow you threw an exception, what an amazing hacker.

# re: standard software and its risk ;-)

Wednesday, April 19, 2006 2:42 PM by Hannes Preishuber
@nick
where i have written "hack"?
What i point out is that this "standard" product is used several times with the same unsecure settings. ( which is sad enough)
To sucessfully hack a web application, you need several things. Knowledge about the target system is one of them. And to stress application with _unexpected_ input is a usal method to step forward in hacking.

# re: standard software and its risk ;-)

Wednesday, April 19, 2006 2:46 PM by Hannes Preishuber
@mod
developers use compents without checking the internals. Like these customers which have installed a product only to setup a online shop. Cause its easy to access this "component" everybody can research it for leaks and use google to find sites which are using that.
Its a bigger risk for automated attacks or be visited by a hobby hacker.

Leave a Comment

(required) 
(required) 
(optional)
(required)