Message-ID: <gsir30$95i$1@news.albasani.net> from OldbieOne contained
the following:

>>
>> So you'd be the right guy to test the security of an app I've been
>> working on?
>
>In .NET? Yeah, I'm unfortunately somewhat of a guru now after going through 
>a crash course......well, I mean the last 3 yrs of doing nothing but working 
>on other people's .NET code *sigh*

.NET?  You have to be kidding, right?

No, it's LAMP with bits of AJAX

www.imeasure.org.uk


-- 
Geoff Berrow

http://4theweb.co.uk - Web design, development and hosting
http://slipperyhill.co.uk - Bluegrass, blues, barn dance

On Mon, 20 Apr 2009 23:45:16 +0100, Geoff Berrow  did make
me awaken from my chaotic existentialism when they didst announce:

>Message-ID: <gsir30$95i$1@news.albasani.net> from OldbieOne contained
>the following:
>
>>>
>>> So you'd be the right guy to test the security of an app I've been
>>> working on?
>>
>>In .NET? Yeah, I'm unfortunately somewhat of a guru now after going through 
>>a crash course......well, I mean the last 3 yrs of doing nothing but working 
>>on other people's .NET code *sigh*
>
>.NET?  You have to be kidding, right?

HAHAHA! Gotcha, Mr PHP guru ;)
How long did I have you with that one? The part about my .NET knowledge is
unfortunately true. I strayed into Micro$haft hell and kinda stayed there.......


>No, it's LAMP with bits of AJAX
>
>www.imeasure.org.uk

Well, the most obvious thing that I see right off the bat, is that your login
doesn't use https.....so that's a possible headache there.....apart from that,
you're not passing any variables in the URL string, and I tried to insert some
crap in your database and it didn't go, so all good there, globals aren't
on.....but the web server itself is weak

I forced a 404 error and got this info:

Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 Server at www.imeasure.org.uk
Port 80

So now I know you have FrontPage server extensions installed (don't know where
you got them for Linux since RTR stopped releasing/supporting it years ago)
which has tons of known exploits and makes defacement easy.

First thing I'd do is remove the FrontPage server extensions from the box, force
logins over SSL, and stick custom error pages up so that your server doesn't
report versioin numbers. Also, update your OpenSSL.......

Once you've done all that, you're better than good :D

Nothing is impenetrable, but it'll be a bloody task to break it, and I can't see
why anyone would even want to try.

Except, apparently, me at 2:40 AM Eastern, LOL
--
OldbieOne - 
The guy who tells it like it is!

Message-ID:  from OldbieOne
contained the following:


>>.NET?  You have to be kidding, right?
>
>HAHAHA! Gotcha, Mr PHP guru ;)
>How long did I have you with that one? The part about my .NET knowledge is
>unfortunately true. I strayed into Micro$haft hell and kinda stayed there.......

Ha!   I thought your memory was going for a moment.
>
>
>>No, it's LAMP with bits of AJAX
>>
>>www.imeasure.org.uk
>
>Well, the most obvious thing that I see right off the bat, is that your login
>doesn't use https.....so that's a possible headache there.....

We took the view that it wasn't necessary for the site in its current
form.  No money involved and all you'd get if you broke in would be a
bunch of meter readings.


>apart from that,
>you're not passing any variables in the URL string, and I tried to insert some
>crap in your database and it didn't go, so all good there, globals aren't
>on.....but the web server itself is weak
>
>I forced a 404 error and got this info:
>
>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1
>mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 Server at www.imeasure.org.uk
>Port 80
>
>So now I know you have FrontPage server extensions installed (don't know where
>you got them for Linux since RTR stopped releasing/supporting it years ago)
>which has tons of known exploits and makes defacement easy.

<sigh>  Yes I know.  The client who I manage the VPS for insists on
using Grunt Page and so it has to stay for the moment (I have warned,
repeatedly). This is a temporary location for this site until I get my
own VPS, which will not have FP extensions, you can be sure.
>
>First thing I'd do is remove the FrontPage server extensions from the box, force
>logins over SSL, and stick custom error pages up so that your server doesn't
>report versioin numbers. Also, update your OpenSSL.......

Customer error pages is something I can get onto right away, Thanks for
that!
>
>Once you've done all that, you're better than good :D
>
>Nothing is impenetrable, but it'll be a bloody task to break it, and I can't see
>why anyone would even want to try.

Well that's what we hope, but I'd rather not give them the option. 
>
>Except, apparently, me at 2:40 AM Eastern, LOL

Thanks for doing that.  :-)
-- 
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

On Tue, 21 Apr 2009 10:18:09 +0100, Geoff Berrow  did make
me awaken from my chaotic existentialism when they didst announce:

>Message-ID:  from OldbieOne
>contained the following:
>
>
>>>.NET?  You have to be kidding, right?
>>
>>HAHAHA! Gotcha, Mr PHP guru ;)
>>How long did I have you with that one? The part about my .NET knowledge is
>>unfortunately true. I strayed into Micro$haft hell and kinda stayed there.......
>
>Ha!   I thought your memory was going for a moment.
>>
>>
>>>No, it's LAMP with bits of AJAX
>>>
>>>www.imeasure.org.uk
>>
>>Well, the most obvious thing that I see right off the bat, is that your login
>>doesn't use https.....so that's a possible headache there.....
>
>We took the view that it wasn't necessary for the site in its current
>form.  No money involved and all you'd get if you broke in would be a
>bunch of meter readings.

Makes sense

<snip>

><sigh>  Yes I know.  The client who I manage the VPS for insists on
>using Grunt Page and so it has to stay for the moment (I have warned,
>repeatedly). This is a temporary location for this site until I get my
>own VPS, which will not have FP extensions, you can be sure.

I don't know why anyone has it installed anywhere, especially on Linux......

<snip>

>Thanks for doing that.  :-)

You're welcome, Geoff :)

--
OldbieOne - 
The guy who tells it like it is!