Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Worst security you've ever seen?

#1
Personally, it seems that the MyBB Admin Panel has to be pretty high on that list. It's absolutely riddled with XSS vulnerabilities. That being said, it's not a risk because the user has to get access to the ACP first. Once they have access to the ACP, you're already screwed. They can do whatever they want anyway. Finna 

I'll put my very first PHP project on the list too. It was a project called Filecave. I didn't do very much input sanitization. I just coded it all out and was like "meh, I'll sanitize later." What a decision that was. I ended up cancelling the project over it. 

Then there are all of the government sites that literally store passwords in plain text. No idea who they hired to do these websites, but that's terrible practice. Even random sophomores at my university know better than to try that. 

I would have to say older versions of Windows, at the end of the day. Windows XP is notoriously insecure. They never really got it reasonably good security wise. Even Windows 10 is far less secure than Mac OS and Linux. This may, in part, be because it's the most popular OS in the world. It gets targeted far more often, but I truly believe it is genuinely much less secure in general. 

What are the most insecure softwares you've ever discovered/run across?

Reply
#2
alright kids we're gonna do a little experiment

first, we're gonna go to this cool website: https://bugs.php.net/
then scroll down and click "Most recent open bugs (all)"
then, in another tab, open up this website: https://bugs.mysql.com/
and in the search form, set status to "Verified" and click search

what you'll see is that, at the time of writing this post:
MySQL has 5647 Verified (i.e. submitted, checked by development team to confirm it is a bug, and never bothered with a fix) bugs
PHP (in general, minus version-specific bugs) has 4749 open bugs.

add them together, and you have the most common web technology stack in the whole f*** world.
and you have 10,396 bugs just between those two things alone, f*** the OS, web server, and plugins, mind you. just the scripting engine dbms.

how much do you want to bet that at least a couple of these bugs are present in someone's website?
how much do you want to bet that whatever bugs affect those websites might lead to compromise or information disclosure which later leads to compromise?

i rest my case

this post was made by ANTIPHPGANG
all my homies HATE PHP all my homies use FLASK
#f***
Reply
#3
We hear about an awful lot of websites being hacked with debit cards and social security numbers being released. I don't doubt it.

Worse, Ubuntu doesn't even update their core PHP versions in old LTS releases (read: 16.04) that are still supported, and leaves unsupported PHP versions in the official repositories. I had to find a PPA just to get a supported PHP release that was still getting security updates. We're using Ubuntu 16.04 to host MS. It's supposed to be supported until April 2021. (I would upgrade it, but upgrading Ubuntu means hours of downtime and a whole host of bugs and issues. The PPA was easier. Finna)

MySQL and PHP both have ridiculous defaults. There is absolutely no reason for PHP to have CGI.pathauto (or whatever it's called) enabled by default. But it is. All it would take is a web master with a large website forgetting to fix that on one single server to potentially compromise their entire website.

It's a lot to remember. For better or for worse, every single website on the internet is vulnerable, whether the vulnerabilities are known or not. They say security through obscurity is not sufficient, and it honestly isn't. But neither is assuming taht no known vulnerabilities means total security. You need a little of both, because eventually, somebody will discover something.

Reply
#4
You should be using the ppa for PHP anyway. It’s updated on a regular basis.
Reply




Users browsing this thread: 1 Guest(s)

Dark/Light Theme Selector

Contact Us | Makestation | Return to Top | Lite (Archive) Mode | RSS Syndication 
Proudly powered by MyBB 1.8, © 2002-2024
Forum design by Makestation Team © 2013-2024