1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Development New Image look? Website Critique

Discussion in 'Software' started by John Cena, 27 Nov 2004.

  1. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    I updated the graphics on my website. I used small images etc

    Can someone tell me how it looks and loads? I would be especially interested in a critique from a 56k user
     
  2. Hwulex

    Hwulex What's a Dremel?

    Joined:
    1 Feb 2002
    Posts:
    4,007
    Likes Received:
    1
    A link might come in handy. :idea:
     
  3. laoda

    laoda What's a Dremel?

    Joined:
    27 Nov 2004
    Posts:
    35
    Likes Received:
    0
    At least it loads fast.
     
  4. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    woaps

    The website url is Http://www.quiddity128.net

    I store all the articles in text files and then read them using the Filesystem object.
    Would you store it in a database or text files?
     
  5. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    Okay, I added new changeable themes. Can anyone make a comment on that?
     
  6. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,120
    Likes Received:
    74
    I've no comment on any of the site or it's design but you might want to tighten the security on articles.asp, especially when giving it arguments ;)
     
  7. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    what do you mean? giveme an example(even if its a hack in security)
     
  8. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,120
    Likes Received:
    74
    Looks like you've changed a few things since but when I posted you were allowing unchecked variables to be passed into your script.

    For example, your script used a variable called page passed through the URI, eg, Articles.asp?Page=Article1, which then would have loaded a text file called D:\hosting\something\Articles\Article1.txt.

    Because you left this unchecked I could come along and alter what file I wanted your script to read, so I could pass, for example, ../../Article1 into your script to alter the directory that i wanted your script to read.

    Thankfully you were enforcing '.txt' to be appended onto the end of the variable, but if you hadn't I could have used your script to potentially read any file on your hosts hard drive. Config files, windows password files, you name it...

    You might want to suppress any ASP error codes such as the ones displayed here because you are giving away to a potential hacker the following:

    1) You're hosted on a windows IIS/ASP server
    2) (Before you changed the script a bit) the location and drive that you are hosted on
    3) the rest of your site is likely to be ridden with exploitable holes :D
    4) a whole plethora of buffer-overrun exploits are entirely possible due to unchecked variable passing

    :)
     
  9. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    Nice work BUT hehehe my site is HACKER proof.

    The page variable uses a "Server.Mappath" so if you type ANYTHING outside of the directly that ONLY contains article, it will throw you out.

    But thanks for pointing that out. Iam gonna fix it soon (infact i was thinking about the same thing last night hehe)
    :thumb:
     
  10. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,317
    Likes Received:
    1,574
    ROFL

    no, it really isnt, i can 100% garauntee that :hehe:
     
  11. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,120
    Likes Received:
    74
    No site is hacker proof.

    Did you even read my post? If you're not going to take advice onboard then don't bother asking for it in the first place :) You're allowing unchecked variables. You're outputting standard errors that give away clues as to you and your hosts setup. Not good!

    Here it is again for you -

    You're allowing unchecked variables. You're outputting standard errors that give away clues as to you and your hosts setup.

    How do you know that mappath() doesn't have exploit out there? :)
     
  12. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    I love a good discussion when others say iam wrong. Iam not attacking you, just trying to have a nice debate.

    Server.Mappath has 0 exploits, all it does is map the path.
    Infact, I willing to wager 500K to the person who hacks me site. It cannot be done.
     
  13. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,317
    Likes Received:
    1,574
    id take that wager if i knew i wouldnt get booted from my isp :/
    and you dont have the 500k to back it up anyway, so i wont bother

    there is no site in the world that is hacker proof, especially not a private site like yours
     
  14. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    I bet you it is. I JUST dont see how it is hackable?

    You dont have to hack it. Giveme a message on a.i.m and tell me how you would hack it, so that way your isp wont boot you.

    Once again, it cannot be done.

    it could be done when every server in the world used microsoft windows 98 4 years ago but with new processors with buffer overflow protection etc its not possible :rock:
     
  15. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,317
    Likes Received:
    1,574
    how amusing
    just because you dont know a way to hack it means that nobody can, of course

    my isp would boot me (or at least get narky with me, and put me on an evil blacklist of doom) for playing about with it finding the holes in it, so id rather not, and im certainly not putting AIM anywhere near my pc lol

    it CAN be done
    find a few random warez forums and post this up

    "j00 Skr1pt k2ddI3ZZZ C4NT H4CK tH15!!!1111one $500k S3Z S0!! B334TCH!111ONEZORS"
    with a link

    i give it 20 mins absolute maximum
     
  16. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    can you find me a warez forum to post it in or can someone post it for me? i dont know any. but seriously, this is a challendge. this should be a bit-tech contest "come hack john cena". i would congratulate the winner not punish not would i report him etc.
     
  17. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,317
    Likes Received:
    1,574
    but the second most isps detect activity like nmap/nessus etc, boom, not good

    regardless of wether you permit it or not, unfortunately
     
  18. John Cena

    John Cena What's a Dremel?

    Joined:
    1 Jun 2004
    Posts:
    818
    Likes Received:
    0
    which means iam 100% hacker proof. because isps protect me? :confused: :confused: :confused:
     
  19. Mister_Tad

    Mister_Tad Will work for nuts Super Moderator

    Joined:
    27 Dec 2002
    Posts:
    13,317
    Likes Received:
    1,574
    er, no
    it means im not going to try anything, because my isp wont like it, and ive grown quite fond of the internet
     
  20. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,120
    Likes Received:
    74
    How is it a discussion when you won't even listen? Heh. No one is saying you are wrong either mate, just offering up some ideas and possible advice that you seem unable to take onboard!

    Can you back this up please? It took me one google search then one refined search to find mention of exploits for server.mappath!

    Please don't go asking script kiddies to make a mess of your website :duh:
     

Share This Page