.

Accidentially comprimised bebo's Music

<<

xorf

Newbie
Newbie

Posts: 4

Joined: Sat Oct 13, 2007 5:14 am

Post Tue Oct 16, 2007 5:19 am

Accidentially comprimised bebo's Music

I was bored, and i was doing some leeching attacks on my own community website, i wanted to test out the new java script and htaccess that i put in place so the divx player could not be embedded on another site and for the videos to be leeched.  Everything worked out well, even with attacks against tamper data.

But in the process i found a dangerous exploit in the community website 

by using tamper data when loading any of the songs on bebo, it should up the sub domain in which the mp3's are loading from, and just be removing a few characters from the end of the absolute url, i was able to get the mp3. I informed  (owner of) but I got no response. 

What other steps would be advisable to take?

Maybe  doesn't believe me or maybe he is just worried now that his "Music" side to has been completely compromised.
Last edited by xorf on Tue Oct 16, 2007 12:25 pm, edited 1 time in total.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Oct 16, 2007 9:06 am

Re: Accidentially comprimised bebo's Music

How long did you give them to respond? Generally you want to give the person/company ample time to fix the issue before posting in a public forum. For a site like that, I would say 30 days at least. For a vendor software bug, you should way 60-120 days to allow them to fix it, otherwise its not responsible disclosure. After that, a popular way to take it public is the Full-Disclosure mailing list.

From what your saying, it sounds like its only a misconfiguration of his webserver, allowing users to traverse directories and obtain files illegally. Is that correct?

In the future, you may want to not use the actually domain name either.
<<

xorf

Newbie
Newbie

Posts: 4

Joined: Sat Oct 13, 2007 5:14 am

Post Tue Oct 16, 2007 12:16 pm

Re: Accidentially comprimised bebo's Music

Firstly, it would have been nice to point me in the direction of an IT law that explains it. Instead of giving a lecture. I'm not a hacker black/white in any means, i'm just an I.T student who likes web security. This site is based upon ethics, isn't it not?


about a month now.

The audio is controlled by a flash object which in turns streams the mp3 from a directory within a sub domain. this call is controlled by a java script. And from what i can tell there seems to be no fault. It does what it is suppose to do. I'm not prepared to enter the script here or anywhere. I have no right to.

From what your saying, it sounds like its only a misconfiguration of his webserver, allowing users to traverse directories and obtain files illegally. Is that correct?
  If it was a misconfiguration, then the flash mp3 player wouldn't be able to be embedded on another website, but it. And from research it always was.

I was going to tell him to write the following .htaccess  But as im not to fimilar with Resin server and from what you just said. Im staying away from the topic.


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?websiteaddresshere(.com(/)?.*$ [NC]
RewriteRule .*\.(mp3|MP3)$ [F,NC]
Last edited by xorf on Tue Oct 16, 2007 12:26 pm, edited 1 time in total.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software