Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
Can someone explain to me how finding cookies is actually difficult?
It seems to presumptuous of me to assume you guys don't know about how easy it is to find cookies.
Are you sure they're "Cookies" and not something else? I can't see the webpage to show how easy or difficult it would be to find the ecookie, soooo
If it's so easy. Why didn't I find it with all methods I have used?
Maybe I'm too stupid then. The cookie would only be set when the user login.
And I can't find the cookie on admin.php either.
Try to find this cookie: http://trustno1.info/eeditor/admin.php
Offline
It seems too presumptuous
^ it seems it was.
I wanted to see what detail I was missing. Whatever method he actually used, it seems relevant to explain that as a security flaw as well. He's holdin' out on ya
The cookie would only be set when the user login.
that's the clincher it seems.
Offline
daemon wrote:Just a reminder for Capasha that I qualify for
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Although I have been waiting eagerly (Do not mistake me for a moneygrubber though), I have not yet received 220 gems (PM me for my ingame name).
Cheers.1) I can't get a gem code
2) I still need to know how you got that cookie. Because bruteforcing or dictionary attack my page wont work.
If you can't tell how you found it. I can't give you anything. I'm sorry for that.hummerz5 wrote:Wait was the login cookie something like userID or username in plaintext? If so, I get it. But if he had a random string, hashed in the DB, isn't that the way to do remember me systems?
It was a cookie with a name, if anyone set a value to it they would be able to login. I'm sorry that I'm bad at MySQL and PHP.
You can always ask an admin to convert it into a gem code.
No u.
Offline
You can always ask an admin to convert it into a gem code.
You mean to tell me we can still do this???
aka towwl
Offline
Nou wrote:You can always ask an admin to convert it into a gem code.
You mean to tell me we can still do this???
Yes, but not custom ones.
thanks zoey aaaaaaaaaaaand thanks latif for the avatar
Offline
capasha wrote:daemon wrote:Just a reminder for Capasha that I qualify for
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Although I have been waiting eagerly (Do not mistake me for a moneygrubber though), I have not yet received 220 gems (PM me for my ingame name).
Cheers.1) I can't get a gem code
2) I still need to know how you got that cookie. Because bruteforcing or dictionary attack my page wont work.
If you can't tell how you found it. I can't give you anything. I'm sorry for that.hummerz5 wrote:Wait was the login cookie something like userID or username in plaintext? If so, I get it. But if he had a random string, hashed in the DB, isn't that the way to do remember me systems?
It was a cookie with a name, if anyone set a value to it they would be able to login. I'm sorry that I'm bad at MySQL and PHP.
You can always ask an admin to convert it into a gem code.
I sent a pm to NVD. And I have seen him on the forums. So yes I guess he doesn't care anyway.
hummerz5 wrote:It seems too presumptuous
^ it seems it was.
I wanted to see what detail I was missing. Whatever method he actually used, it seems relevant to explain that as a security flaw as well. He's holdin' out on ya
capasha wrote:The cookie would only be set when the user login.
that's the clincher it seems.
I still don't trust this. I shared the code to Dadito. He could have shared it to anyone. The cookie name was inside the code.
Chat on TV with Dadito. When I sent the code.
Offline
Finding a cookie is rather easy when either already created and not expired (The cookie is then stored and visible) or visible in client-side code (Javascript most often).
Capasha wonders how I retrieved the cookiename because neither of both situations was satisfied; The cookie would only be created if logged in successfully and was not visible in client-, but only in server-side (PHP) code.
Capasha, keep your gems if you do not think that 'LoginCookie' is a plausible name present in a dictionary used to set lots of cookies.
In comparison, it's like using 'Password123' while sure that no one would guess that; dumb.
Offline
But you claimed you managed some other way and insofar haven't directly laid claim to it. Was it the dictionary method or no?
Here I was wondering if there was some way to CSRF and get his cookies for that site, but I don't think it works like that.
Offline
Dictionary attacks usually are the last (and most time-consuming) resort, which is why I stumbled upon another method (One that does not present a threat) first.
The point is that I exploited his login and found at least one security issue, hence I satisfy his condition (Its logically inconsistent if I did not..):
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Last but not least I provided details on how to fix these issues.
Offline
Dictionary attacks usually are the last (and most time-consuming) resort, which is why I stumbled upon another method (One that does not present a threat) first.
The point is that I exploited his login and found at least one security issue, hence I satisfy his condition (Its logically inconsistent if I did not..):220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Last but not least I provided details on how to fix these issues.
The password is encrypted with salt. I don't know how you can say its not.
The password was also used special characters and a length of 32.
I guess you must have a really good computer that can crack the password so fast and also a lot of proxies to bruteforce on my site. Which will block an ip that tries too many times.
You are still trying to ignore how you got the cookie. So I don't see a reason to give you any gems.
Offline
The password is encrypted with salt. I don't know how you can say its not.
The password was also used special characters and a length of 32.
I guess you must have a really good computer that can crack the password so fast and also a lot of proxies to bruteforce on my site. Which will block an ip that tries too many times.
1. I did not mention anything related to password cracking, especially I haven't said the password isn't encrypted with a salt. (What makes you think I said this?!)
2. I was talking about a dictionary attack; a long list of cookie names which are set during the attack, such that if a successful login depends on the presence of a cookie, then this attack might exploit that. What I have been saying for days now is that 'LoginCookie' is a plausible name for a cookie that is set when logged in, and therefore surely must be on the list.
You are still trying to ignore how you got the cookie. So I don't see a reason to give you any gems.
Yes I am. Keeping that method secret is worth more than any amount of money to me. But let's face it:
A: I exploited your login obviously by setting that cookie.
B: I found numerous security issues;
Some serious (exploitable) issues you are facing;
- Cookies are client-side and should not be used for authentication nor authorization.
- Passwords are not encrypted (preferably with a salt to prevent cracking by rainbow tables) and go insecurely over the wire.
^ Note that I didn't say that the passwords aren't salted, I said you havent got HTTPS.
Now from
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
or written as a proposition; "Exploit my login or find any security issues -> you will receive 220 gems"
and the truth of A and B, I deduce that I will receive 220 gems.
Anyone (hummerz5?) to back me up here or am I the only rational thinker?
Offline
He probably wants you to tell him how you did it so he can learn from it so it doesnt happen again... you can always just PM him
thanks zoey aaaaaaaaaaaand thanks latif for the avatar
Offline
daemon, I don't doubt you earned the prize for that fancy image. I'm just personally curious as to your method worth more than money. I can see it either being illegal and you can't dare admit it, or incredibly obscure and you don't want to lose the rarity.
Also, you did mention salts, perhaps the wording was off? dunno.
again, tl;dr, yes you satisfied the conditions
Offline
Okay.. The broken glass on the floor under the window in in the web- and dnsserverroom hosting his site wasn't an ordinary accident, I should have cleaned it up.
Jokes aside, the method simply loses its effectibility when exposed to the public.
Furthermore when exposed, software authors have 0-days to plan and advise any mitigation against its exploitation.
However you could say it makes 'the internet' safer.
Sorry, but (personally) effectibility outweighs the others.
Offline
Okay.. The broken glass on the floor under the window in in the web- and dnsserverroom hosting his site wasn't an ordinary accident, I should have cleaned it up.
Jokes aside, the method simply loses its effectibility when exposed to the public.
Furthermore when exposed, software authors have 0-days to plan and advise any mitigation against its exploitation.
However you could say it makes 'the internet' safer.Sorry, but (personally) effectibility outweighs the others.
You are going to get the gems when I have more money. Because you said much more things than the cookie.
If you doesn't want to tell about cookie, then its fine.
Offline
[ Started around 1732831030.3465 - Generated in 0.147 seconds, 13 queries executed - Memory usage: 1.62 MiB (Peak: 1.81 MiB) ]