Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP/MySQL image gallery penetration testing

from [Cory Swanson] Network Security [Permanent Link]
Subject: Re: PHP/MySQL image gallery penetration testing
Date: Thu, 25 Oct 2007 15:44:21 -0600 
Simon,

May I ask why one would be concerned with being able to download all 4
images from the site at once? You said that they rotate every day so
couldn't they just wait a day at a time and Right-Click / Save-As ? Do
these images contain important information which someone would want to
have right away?

I'm sorry but I just can't see why this would be a vulnerability unless
you were running an image hosting site like imagevenue.com or something
and didn't want people leeching entire galleries at once and eating
bandwidth.

Perhaps you can provide more information.

Cory

On Thu, 2007-10-25 at 18:34 +0200, Simon Jolle "sjolle" wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi security list

At our site we have 4 images on the website (rotating every day). The
webdev department doesn't allow me access to the source (additionally I
am a non-programmer)

The URL looks http://www.example.com/image.php?src=imagename.png, where
imagename.png is random generated.

What techniques can be used by a attacker to download every image? What
tools can be used to test potential vulnerabilities?

cheers
Simon

- --
actually, I think Windows Vista has done more than virtually any OS
release to promote the use of Linux (Slashdot comment, 4. Oct 07)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHIMWEEMN/lNE/wrwRAubcAJ0UXU34ca1ijp4J5fNrgsCsDZwg7QCgh9dd
WSbDPq6dZpCGCDKZTsj8tiY=
=2mrF
-----END PGP SIGNATURE-----


Cory Swanson
Director - Spyder Technology
http://www.spydertechsolutions.com
Office   (208) 947-4693
Mobile  (208) 695-5110
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: LAN issue, Jim Parkhurst
Next by Date:  Help to defend from DOS web attacks, Emanuel Marufo
Previous by Thread:  PHP/MySQL image gallery penetration testing, Simon Jolle \"sjolle\"
Next by Thread:  Re: PHP/MySQL image gallery penetration testing, Simon Jolle \"sjolle\"
Indexes:  [Date] [Thread] [Top] [All Lists]