The Museum of HP Calculators

HP Forum Archive 15

[ Return to Index | Top of Index ]

[OT]OpenRPN.org hacked, AGAIN
Message #1 Posted by . on 29 Jan 2006, 6:55 a.m.

Please see Here. It now says "::.HACKED BY iSKORPiTX (TURKISH HACKER).::"

This is ridiculous. Don't they know how to configure a server?

      
Re: [OT]OpenRPN.org hacked, AGAIN
Message #2 Posted by Geir Isene on 29 Jan 2006, 7:20 a.m.,
in response to message #1 by .

It is not about configuring a server, it's about choosing the right, secure CMS.

      
Ottoman Empire 1, OpenRPN 0
Message #3 Posted by Mustafa Kemal on 29 Jan 2006, 9:41 a.m.,
in response to message #1 by .

Cok guzel!

Vaporware like OpenRPN is almost deserving of something like this...

      
Re: [OT]OpenRPN.org hacked, AGAIN
Message #4 Posted by Hugh Evans on 30 Jan 2006, 11:11 a.m.,
in response to message #1 by .

The problem is postnuke and has only been a problem for the past few months. I agree that it is out of hand but it will take a bit of time for us to set up a more secure alternative.

            
Re: [OT]OpenRPN.org hacked, AGAIN
Message #5 Posted by Johnny on 7 Feb 2006, 5:56 a.m.,
in response to message #4 by Hugh Evans

Try DRUPAL. I hear it's a great CMS.

      
Re: [OT]OpenRPN.org hacked, AGAIN
Message #6 Posted by bill platt on 8 Feb 2006, 10:24 a.m.,
in response to message #1 by .

Maybe I'm just ignorant, but isn't the server supposed to be read-only to the outside world, with the exception of forum posts?

How can it be possible to "hack" a server like this?

            
Re: [OT]OpenRPN.org hacked, AGAIN
Message #7 Posted by Marcus von Cube, Germany on 8 Feb 2006, 10:54 a.m.,
in response to message #6 by bill platt

I'm not a specialist in this but I've read something about hacking of database applications on the web.

One possible problem is dynamic SQL: Normally, your posts are enclosed in some SQL statements to put them in to a database: 

insert into mytable( poster, text ) values( '<poster>', '<text>' )
The values in angle brackets come directly from the input form. Now consider a poster named "badguy" enters something like this in the text field: 
' );
update sometable( colum1, column2 ) values( 'bad value1', 'bad value2
Now lets combine the two: 
insert into mytable( poster, text ) values( 'badguy', '' );
update sometable( colum1, column2 ) values( 'bad value1', 'bad value2' )

One can imagine that evil things can be done if the exact database structure is known (as is the case for many such systems.)

Marcus

[ Return to Index | Top of Index ]

Go back to the main exhibit hall