View news
The Belgian royal family hasn't fully grasped IT security just yet |
|---|
|
Posted by rhican - Wednesday January 4 @ 14:44  First of all, Happy New year everyone :)Now lets start the new year with some funny stuff: We do discover small mistakes in websites now and again. The classical XSS bug in a search field or another sql injection in a parameter. Often because we come across it while surfing or see a link in the chat channel, and just test a few well known bugs. Most of the time we choose to email this to the webmaster, and sometimes we don't even bother because it would be a waste of the webmaster's time. However we recently came across a bug that we just wanted to share with you all, because of its 'humoristic nature'. It concerns the website of the Belgian royal family (www.monarchie.be). First of all we want to make a few things clear. We publish this to attract more attention to IT security as a whole, and because of its entertainment value. This isn't a Belgium vs The Netherlands competition. If for no other reason than that the author of this text is Belgian. Second of all, we don't have any political agenda against the monarchy (Or anything related). It's just that the royals are thought to have enough money to create a solid secure website (as far as that isn't a contradiction). This is especially true in this case because the often dreaded "Who would ever want to do that anyways"-line isn't applicable in this case at all. Alright by now you are probably all wondering what was up with this site anyways, are we barking up the XSS tree again? No. SQL injection? No. This time it was the famous weak password. A login to the site's Admin section found at www.monarchie.be/admin was: Code: test/test      Discovered: 31/12/2005 Notified webmaster: 1/1/2006 Login stopped working: 3/1/2006 Even though we didn't recieve a reply, which is quite rude :), we do wish everybody a happy new year, and lets all stop using test/test as a login ;) |
» Comments
OMG, ROFLMAO.
weak, weak, weak, weak!
moeha, nice job :-).
Great job rhican... :) As usual :P
Very funny bug lol :P
Lol...
Btw Rhican, how did you get the idea to use test/test as user/pass ? Just coincidence? =)
Funny one :D
I usually try a 2 or 3 combinations.
In this case I (would have) tried:
admin/admin
test/test
username/username (here that would be Monarchie-7801)
Most of the time I stop there, however if you would really want to continue, I would try combinations relating the site. Here that would be some names of the Kings/Queen/Prinses ...
However I usually don't expect to guess the password, I am intrested in how they handle the error. Wether or not there is information on the error page I could use. (And sometimes they even don't write the .htaccess properly allowing you to access the page anyway)
hehe, thas funny
shame on that 'webmaster' :)
what i like is a variable include via $_GET :p
?p=.htaccess
you'd be surprised how many times that works.
oh yes, i learnt that from the challenge named "nice include system" :p
Actually, the same fault once occured on the network of my old school (nope, not kicked, I got the degree already). Some ... didn't remove 'testuser/testuser' and since novel login shows the entire userlist with <tab> (at least that one did). I just had to try (about 3 years ago :P ). not only did the pass offer login, but also facilitated full access to the homedirectories of all teachers as well global normally-'readonly' area's. Furtunately the extra access for the account was removed not too long after.
watches replica
fake watches for sale
cheap fake watches
fake watches for men
replica watch
replicawatches
fakewatches
and processes and there is certainly comply with producers Loosen up and view winders may well allow you to would like to maintain watches for greatest working condition while becoming exercised Straightforward truth is the fact that finest resolution should you could be the proprietor of numerous loosen up and view after which which requirements satisfaction along with his see option replica Audemars Piguet Just like each and every other kinds of applications as getting a definite intelligent observe mate will ensure an individual's complete fulfillment though inside the see winder which you determine fake watches for sale Bentley Motors watches There may be need to have attributes that you simply not free of charge of You will find risks to ensure that you'll be able to remain absent from Knowledge what to view out for having a appear at winder will most likely supply you cheaply beneficial inside the long term uboat watches fake rolex watches for sale Rond Louis watches
family members eg your mother's or aunt's marriage ceremony gown Purchase a white gown from the formal store as opposed to a wedding ceremony boutique Purchase on the net from abroad Obtain a applied marriage ceremony gown from eBay straratata color suede sandal in yellow The cake can price heaps but you'll be able to select a non regular cake or get a person to cook it for you personally <img src="http://www.varyshoes.com/images/uploads/short_boots/CLLB-0915606.jpg" ] The marriage ceremony gown is frequently a significant price leather sandals however it may be decreased in many approaches christian louboutin boots Select a easy type and possess a sewing good friend allow it to be Use 1 which is inside the loved ones eg your mother's or aunt's wedding ceremony gown Acquire a white gown from the formal store instead of a marriage ceremony boutique Get on the internet from abroad Acquire a utilised marriage ceremony gown from eBay Then just spend for that decorating green patent leather toe pumps cl-616 Use butter cream and bought
» Add a comment
Login if you want to comment on this item.