I updated the graphics on my website. I used small images etc Can someone tell me how it looks and loads? I would be especially interested in a critique from a 56k user
woaps The website url is Http://www.quiddity128.net I store all the articles in text files and then read them using the Filesystem object. Would you store it in a database or text files?
I've no comment on any of the site or it's design but you might want to tighten the security on articles.asp, especially when giving it arguments
Looks like you've changed a few things since but when I posted you were allowing unchecked variables to be passed into your script. For example, your script used a variable called page passed through the URI, eg, Articles.asp?Page=Article1, which then would have loaded a text file called D:\hosting\something\Articles\Article1.txt. Because you left this unchecked I could come along and alter what file I wanted your script to read, so I could pass, for example, ../../Article1 into your script to alter the directory that i wanted your script to read. Thankfully you were enforcing '.txt' to be appended onto the end of the variable, but if you hadn't I could have used your script to potentially read any file on your hosts hard drive. Config files, windows password files, you name it... You might want to suppress any ASP error codes such as the ones displayed here because you are giving away to a potential hacker the following: 1) You're hosted on a windows IIS/ASP server 2) (Before you changed the script a bit) the location and drive that you are hosted on 3) the rest of your site is likely to be ridden with exploitable holes 4) a whole plethora of buffer-overrun exploits are entirely possible due to unchecked variable passing
Nice work BUT hehehe my site is HACKER proof. The page variable uses a "Server.Mappath" so if you type ANYTHING outside of the directly that ONLY contains article, it will throw you out. But thanks for pointing that out. Iam gonna fix it soon (infact i was thinking about the same thing last night hehe)
No site is hacker proof. Did you even read my post? If you're not going to take advice onboard then don't bother asking for it in the first place You're allowing unchecked variables. You're outputting standard errors that give away clues as to you and your hosts setup. Not good! Here it is again for you - You're allowing unchecked variables. You're outputting standard errors that give away clues as to you and your hosts setup. How do you know that mappath() doesn't have exploit out there?
I love a good discussion when others say iam wrong. Iam not attacking you, just trying to have a nice debate. Server.Mappath has 0 exploits, all it does is map the path. Infact, I willing to wager 500K to the person who hacks me site. It cannot be done.
id take that wager if i knew i wouldnt get booted from my isp :/ and you dont have the 500k to back it up anyway, so i wont bother there is no site in the world that is hacker proof, especially not a private site like yours
I bet you it is. I JUST dont see how it is hackable? You dont have to hack it. Giveme a message on a.i.m and tell me how you would hack it, so that way your isp wont boot you. Once again, it cannot be done. it could be done when every server in the world used microsoft windows 98 4 years ago but with new processors with buffer overflow protection etc its not possible
how amusing just because you dont know a way to hack it means that nobody can, of course my isp would boot me (or at least get narky with me, and put me on an evil blacklist of doom) for playing about with it finding the holes in it, so id rather not, and im certainly not putting AIM anywhere near my pc lol it CAN be done find a few random warez forums and post this up "j00 Skr1pt k2ddI3ZZZ C4NT H4CK tH15!!!1111one $500k S3Z S0!! B334TCH!111ONEZORS" with a link i give it 20 mins absolute maximum
can you find me a warez forum to post it in or can someone post it for me? i dont know any. but seriously, this is a challendge. this should be a bit-tech contest "come hack john cena". i would congratulate the winner not punish not would i report him etc.
but the second most isps detect activity like nmap/nessus etc, boom, not good regardless of wether you permit it or not, unfortunately
er, no it means im not going to try anything, because my isp wont like it, and ive grown quite fond of the internet
How is it a discussion when you won't even listen? Heh. No one is saying you are wrong either mate, just offering up some ideas and possible advice that you seem unable to take onboard! Can you back this up please? It took me one google search then one refined search to find mention of exploits for server.mappath! Please don't go asking script kiddies to make a mess of your website
