disclosure for some www.random.ie

spod

This is a summary of posts under a previous topic, now deleted due to it's title for pretty obvious reasons.

Summary for Enlightenment:

original post by topgold

I used default passwords at http://some.url
after seeing a post about it on Topgold [1] and it's definitely a wide-open database if anyone knows how to walk around IIS.

regards
Bernie Goldbach

[1] <gone>

[This message has been edited by X_OR (edited 27-07-2000).]

x_or's follow up..

This company have been aware of this since yesterday evening and are currently taking steps to remedy this situation.

Isn't it unethical to post this hole considering they have acknowledged it and are doing something about it?

X_OR, (wondering if censorship is justified in this case?)

[This message has been edited by X_OR (edited 27-07-2000).]

x_or having mulled things over
Ok, I've edited this post because I believe it to be unethical to provide this information at this stage (for the reasons I state above) and have no wish to make life easy for some script kiddy.

I am curious in knowing what you intended to achieve by this and would suggest that people in glasshouses should not throw stones in this manner.

Jerry.
--
ejrry^[bxpZZ

Ok, that's the bare essence of the topic. (Ok there was a post from me at 2am last night, but that doesn't count ;P)

Now where do I stand on this personally.

Well, I'd have to side with x_or (and not just for the sake of moderator unity).

However, I'd see things slightly differently.

Topgold mightn't have been aware that the company were aware of the issue. That is still no justification for posting in a public forum. Also, someone of topgolds standing in the irish webdev community should've appreciated the damage such a reckless post could cause imho. Sending a polite mail, or a quick phone call to the company is one thing. If necessary backed up with some evidence of the hole, and pointers to why it's bad.

Posting wide open sites in any public forum, not least one mainly populated by sweaty gamer types just ain't on.

spod

spod

oops.

Sorry for deleting the thread.

I didn't realise you could edit titles in ubb control panel.

spod (who's gonna rtfm next time)

logic1

I once remember the good ole php hole in web boards..
Quite a time ago that was...

.logic.

jmcc

Originally posted by logic1:
I once remember the good ole php hole in web boards..
Quite a time ago that was...

.logic.

And the wizard keys in Sendmail. :-) I even remember the holes in Remote Access 1.n.
Regards...jmcc

topgold

Sorry for shooting off the URL of the open section. It annoys me that I could still walk in and out of the site's database for weeks after the developers had been politely told about their errors.

FWIW, this thread (and many on this board) are archived by many of the heavyweight search engines. Stuff you say here could easily become part of internet history.

regards from Kilkenny,
Bernie Goldbach