haha fucker ^^
you can't stand for what you have done lol
Printable View
haha fucker ^^
you can't stand for what you have done lol
haha 194.110.184.135 (WWW.SAHD.ALAND.FI) nice ip nexztone fancy hacking from that again ?
O_O thats the schools ip :P
and im no hacker btw :P
just doing what you deserve
its no worth letting DW pay for SHIT!?!
and it was no meant to delete the db
waixan just slipped when he was fixing
in failed attempts lol
"SceneGateway - Your accesspoint to the scene"
XSS hackable in at least 2 places, using an SSL certificate issued in 2004, your apache is spitting out way to much information in the server string and your site is accepting easily faked headers for IP addresses.
I haven't even looked for SQL holes.
So that's the "secure as can be" comment dealt with.
I don't know what browser you are using, but your site is lacking a logo and various images in both FF and IE. It's just a black page with some white text.
Certainly not a "must see".
This is just a default tbdev, with your "upgrades" consisting of taking other peoples code from tbdev.net and applying it. That you haven't even applied my and others basic security patches shows that you don't care about security.
If you run off now and find those patches though, be sure to put the tbdev credits back in, wont you?
So, in short:
Don't claim it's all your own work when it's a default tbdev.
If you've hardly changed it at all, leave the credits in.
Stop spouting off about security unless you actually understand security. If you did understand it, you would never claim to be "secure as can be".
Make sure to actually test your designs on different browsers.
Change the logo.
I signed up, 17th member... Do I get VIP?
Nothing in the browse...
Nothing here!
Sorry pal :(
like i said DW is paying for SHIT
Fail.
Hardly a fail. And actually it is secure and patches have been applie dumbass. And as i said ironing out .
Are you calling rvt a dumbass? I don't that's ever happened. :blink:Quote:
Originally Posted by superseed101
Why not try listening to him and let him help you. It isn't like he wrote the code or anything. :whistling
Let's see if I can explain this to you.
Fail 1) The very old SSl certificate. Looks like it came with XAMPP. As you seem incapable of grasping the basics, anyone with a copy of XAMPP also has a copy of your SSL certificate, and the private key needed to decode the traffic.
In simple terms, this means that your "extreme security" is actually no better than plain text over HTTP. Anyone in the world can decrypt your SSL traffic.
That certificate works fine if it's for testing on localhost (which is who it is issued to), but it is not supposed to be used on the wider internet.
Fail 2) Having written a patch designed to quickly plug XSS holes for tbdev, I think I would know if it was applied. You site will accept XSS attacks in at least 2 places, meaning I can steal cookies from your members.
Fail 3) Having also written a patch to quickly protect against stolen cookies, I can say that you haven't applied it.
Without protection from stolen cookies, I can then access their accounts.
Fail 4) Having further written patches to require the current password on email or password changes, guess what your site is lacking.
So after an attacker steals the cookies from your users, there is nothing to stop him changing their email and password, locking them out permanently.
Fail 5) Having also written a patch to stop users faking their connection IPs completely and easily, I can again say that this is not in place.
As long as I can tell your site that I am actually connecting from the whitehouse, good luck finding out who is attacking you and stealing the accounts of your users. You also cannot block their proxies, as they don't need to use any.
Fixing this is a requirement if you want to fix stolen cookies.
This isn't even touching on what can be done once an attacker steals an admin or sysop account.
If you cannot understand any of the above, then you have no business at all talking about security, let alone claiming to be totally secure.
If you cannot apply security patches to a basic source, you have no business claiming to have written your own custom code. We all know it's tbdev, applying a few patches does not a coder make.
Ouch, that site has more holes in it than Swiss cheese.
good tell ^^
Wait a second. Your saying:
1. You've already been hacked
2. You have rogue ex-staffers handling the DB (btw, nice job finding trustworthy staff)
3. Your doing a shitty job patching tbdev
Where do i sign up?
:blink:
/me joins the line
Good luck. :)
Sounds leet to me :PQuote:
Originally Posted by DV8type
Weve generated random ssl keys and now have SSL Encryption. Weve added the patches and have plugged known holes. The site is nearly complete and we will start letting our uploaders get to our previous 207 torrents :) Thanks rvt for the help.
Not had time to check all, but glad you paid attention.
Try not to mention how "unhackable" you are in future though, because next time it'll probably be someone handing you your ass by sending all your users to a chinese virus site. The mention of how great your security is is like a challenge :P
Now that you've applied those patches, I'd recommend a comb through all your files when you get the time, and make sure that every _POST, _GET and _REQUEST is wrapped in sqlesc() before being sent to the database and htmlentities() before being output to page. It's not quick though, took me 3 days at 24/7 when I opened.
The sqlesc() will keep your database safe, and htmlentities() is the more permanent fix for XSS attacks.
After that, you may want to check out your forums quote function. Can't remember if it's hit tbdev yet, but a bug in there allows reading of staff forums by users. Again, it's not quick to fix, so you may want to ask an experienced coder for help on that.
Lollercaust
nice work rvt
We have fixed patches. Thanks rvt. We also have now hired a hire coder to potter with security and general issues. All known anti p2p ips have also been blocked. The server aswell as the site has been through some security updates. So all should be ok now. Thanks rvt again. We also looking for members again and uploads should be back up tommorow.
Regards Superseed
PS If its possible to just forget the past and give me a clean sweep at this id be greatfull.
whats the deal with it redirecting to some porn site? is this intensional? just thought i would ask incase you werent even aware of this. it redirects to something called "the porn hub" at least it does for me.Quote:
Originally Posted by superseed101
that's what makes me so happy to code in ruby on rails from now on...no more php for me (unless i have to support already existing apps), this is so bad having to check it yourself on every database update.Quote:
Originally Posted by rvt
You expose yourself to holes if you let a beginner code something without supervising him enough, no wonder plenty trackers with inexperienced coders get hacked
wonder when the first ruby based tracker will arrive, would have been a good occasion with the new gazelle...:whistling
Ruby apps can still be hit with SQL injection if not coded properly.
http://www.rorsecurity.info/2007/05/19/sql-injection/
You also still have to manually escape output to avoid XSS issues.
Yes were fixing the issue. Its a matter of time waiting for the domain to refresh. To access the site go to scenegateway.com no www. :)
KFlint: You might want to check out http://code.google.com/p/hydraproject/
A ROR based tracker. No idea whether it's actually any good though.
nice title... he's a foreign, american ethno-centrists... watch out!
Uploads are now working and being uploaded enjoy.
Need some more suggestions soon will be adding in the switch for ssl...
So you found the coder you were looking for on tbdev lol
Quote:
Hey we have ssl ceritificated generated by xampp of course but i want a coder who can code it properly like what.cds ssl and waffles.fm so that you can turn it on or off. Maybe even this for a mod for everyone to use ! Post here if you can help thanks
Lol crap site!!!
Yes as i was saying that was for the ssl and security. Fuck Sake is the whole world against us ?
NO!Quote:
Originally Posted by superseed101
Just listen to people like rvt, Brandon, DV8 and other well-known respect names in BT and those actually giving you advice. :yup:
Ignore the rest of the (f)lamers. They can only do namecalling because they don't know the first thing about coding or the 'inside' of a tracker, but they think it is l33t to bash new trackers where access is easy. They rather try to get into the 'rare' trackers that do not want them. :noes:
i signed up,
i will wait and see. good luck. hope you prove all the know it alls wrong
im embarassed to have an account on that site.
Good luck dude, it's a hard world to try to startup a tracker in now.
LEE1 Fuck off cunt.
whats your account ill delete it then !
You will have your work cut out for you, that's for sure. Regardless, good luck.
You're a real people person.Quote:
Originally Posted by superseed101