Tag Archives: Security

Protect your phpMyAdmin folder, or …

… you are asking for trouble. I learned this valuable lesson past weekend. You need to protect your phpMyAdmin folder from outside world or you are asking for trouble.

I went to a conference about security called Hackintosh, where we had a competitive event called ‘Capture the Flag’. The event was structured like a game and consisted of 10 different levels. At each level, you have to solve a problem by hacking into a sample application using some vulnerability. Each level had problems in increasing order of complexity and most of them were very interesting.

After about 4 levels, I found out that the phpMyAdmin folder of the server, in which the event site was hosted, was public. I logged into the database (it didn’t asked me for the password) and updated the level column corresponding to my username row to 10. That’s it, I conquered the flag. In the end, I ended up hacking the Hackintosh 😉

Jokes apart, the valuable lesson I learned from this event is that you should never leave the phpMyAdmin folder (if installed) open. You can do the following instead.

  • Totally get away with phpMyAdmin and connect to the database using port forwarding in PuTTY.
  • If you cannot get away with phpMyAdmin, then at least password protect the folder and database access.
  • If you cannot password protect the folder at least rename it. (Not recommended at all)

So do you still have your phpMyAdmin folder open? 🙂

Posted in Events/Conferences, Security | Tagged , , | 8 Comments

Major Security Threat in IE

Recently I came to know about a major security threat in Internet Explorer from Lifehacker tips. Any website can read the text present in your clipboard with out your knowledge and can even replace the text present in your clipboard. I went to the article present in the tip and they mentioned that you can use ASP, PHP or Perl together with Javascript to retrieve the text.

This interested me much and I tried to figure out how to do it and to my surprise I was able to retrieve the clipboard text with just two lines of javascript code alone without even using any server side script like ASP or PHP. I have written more about it and you can find it out in this url (www.clipboard.googlemyway.com).

After retrieving the text I was thinking what a website can do by knowing your clipboard text and then an idea struck me what if it is combined with AJAX. The website can get the contents of the user

Posted in Windows/.NET | Tagged , , , | 1 Comment

Security hole found in Gmail

I read any article which states that an Israeli hacker has found a security hole in Gmail. I am yet to confirm the claim, but anyways here is the article.

I have copied the article below (since that page was in some other language and many users had trouble in reading it)

So you’ve got a Gmail mail account? Or maybe you’ve just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google’s mail service, allows full access to user accounts, without the need of a password.

“Everything could get publicly exposed! your received mails might be readable, as well as all of your sent mail, and furthermore anyone could send and receive mail under your name”, thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine. “Even more alarming”, he explains, “is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim’s username and that’s it, he’s inside”.

When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that “the company will go to any length to protect its users”.

The flaw which was discovered by Goldshlagger and was tested many times by Nana’s editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes’ owners, we will only disclose that the process is based upon a security breach in the service’s identity authentication. It allows the hacker to “snatch” the victims cookie file (a file planted in the victim’s computer used to identify him) using a seemingly innocent link (which directs to Gmail’s site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. “The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won’t stop the hacker from using his box”, explains Goldshlagger.

Whether hackers have already used this method to compromise users’ accounts is unclear at the moment.

Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google’s seemingly spotless image, we’re looking here at a major threat to anyone who has turned to Gmail as his major email box. “Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence”, says Goldshlagger. “The result is a huge amount of mail accumulating in the users’ boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim’s life and identity”.

Ofer Elzam, a security expert for “Aladdin”, who examined the security hole at Nana’s Netlife request, explains: “This is a major threat, for the following reasons: First – the users have no way of protecting themselves. Second – it’s quite easy to carry out, and third – it allows identity theft, which is nothing less than a serious danger to the victim”.

“On the bright side”, he adds, “its a good thing that this hole was found now, before the service was officially announced and offered to millions of users world-wide. I reckon it’s just a matter of time before an automatic tool is made, which would allow even the less computer-savvy people to exploit this hack. The damage, needless to say, could be huge”

Is there a way, after all, to protect ourselves in the face of this danger? Elzam does not bear good news on the matter. “The only immediate solution that comes to mind is not using Gmail to store any messages or files that might be maliciously used. At least until Google attends to this problem”

Could anybody throw some light on this issue. 🙄

Posted in Google/Yahoo | Tagged , | Leave a comment