?
Solved

break into my web page

Posted on 2003-03-21
47
Medium Priority
?
261 Views
Last Modified: 2010-04-09
The points are yours if you can figure out, or bypass the password:

http://www.geocities.com/tomandsyndi/ethicslogin.html

I just want to check if the page is as secure as I think.

Don't worry...it's MY account.

Tom

0
Comment
Question by:Tom Knowlton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 26
  • 8
  • 4
  • +5
47 Comments
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183484
Oh, and please tell me how you did it.

You can tell me "offline" if you want to:

tom@thebuyersfund.com

Thanks,

Tom
0
 
LVL 7

Expert Comment

by:cubrovic
ID: 8183629
I get an (js error) reading your page

Did you see how  your source look like
A realy bad html
what was happening ?!


<html>
<head>
<title>Capstone - Login</title>
<script src="pw.js" type="text/javascript"></script>
</script>
</head>
<body>
<a href="javascript:goTo('capstone.html')">Ethics Group Sign In</a>
</body>
</html><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183680
Hmmmm...that's odd.

Try it one more time...should get no errors.  I mean, I don't get any errors:

http://www.geocities.com/tomandsyndi/ethicslogin.html


Let me know,

Tom
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183710
Geocities adds in all of this GARBAGE:


><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>


I have no control over that.
0
 
LVL 7

Expert Comment

by:cubrovic
ID: 8183767
Same errors occured

Line 10: object expected

and then

Line 1: Syntax Error (probably just because of the first)

and same (very bad) html in view source like i send it before.


Some of those scripts keep generate error (in ie6.0)
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183812
Don't know what to tell you...works fine under my IE

Tom
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183831
To be fair:

I am getting errors, but they are NOT preventing me from loggin in or anything:

Line:  2
Char:  29
Error:  Syntax error
Code:  0
URL:  htpp://www.geocities.com/tomandsyndi/ethicslogin.html


Here is the function in the pw.js file:

function goTo(fn) {
window.location.href = "<path to folder not revealed, of course>" + prompt("enter password")+ "" +"\/" + fn
}
0
 
LVL 1

Expert Comment

by:Victor_R
ID: 8183904
Does the capstone.html page actually exist? I mean, if we do manage to break in, will we still get a Yahoo file not found??
0
 
LVL 7

Expert Comment

by:cubrovic
ID: 8183936
OK this is pretty secure becuse i can only gues where it is.(And you depends on your server safety ofcourse)

You need also to set your meta data in your protected html something like

<meta name="robots" content="no-index" />

(I,m not sure is this a correct syntax)
This is to avoid crawlers to register your page (cause you dont want to)
Other way your protected page may appeared on the google or geocities search fascility
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183961
Yes, the capstone.hmtl file actually exists.

Not much to look at when you break in...names and phone numbers of people in my Study Group.
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8183967
cubrovic:

Yeah, I'll add in that meta-data info next chance I get.

Thanks,

Tom
0
 
LVL 7

Expert Comment

by:cubrovic
ID: 8183970
Use prompt like this

prompt("enter password","")

where "" is default value
to avoid undefined default value that will be set
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184008
That has been corrected.

Oh oh....big problem.

Notice what happens when you leave the password blank and hit OK or Cancel!!!!!!  It basically gives it away.

Who ever can confirm this and tell me how to avoid it will get the points.
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184025
Well, I guess you STILL don't really know what to put in there...but I would still like to prevent this from happening.
0
 
LVL 6

Expert Comment

by:mattjp88
ID: 8184086
change ur .js file to:

function goTo(fn) {
var passwd=prompt("Please enter password","");
if (passwd=="" || passwd==null || passwd=="undefined") {}
else {window.location.href = "123_999_547_12_ABC" + passwd + "9" +"\/" + fn}
}

this will only run the script if there is text entered.

Matt :-)
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184119
Matt:

That works AWESOME!!!!

Thanks!!!!

Tom


If nobody is able to break-in in the next day or two I guess I will award the points to Matt.
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184129
In incorrect password STILL reveals the obscure folder path, however.

I'll think I an correct that in the function as well...
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184190
I'm in.

I entered your password.  I'll tell you how in email...

bvinson
0
 
LVL 6

Expert Comment

by:mattjp88
ID: 8184203
i have a very good password protection script.  if you want to e-mail me the password and path to the file i will make it for ya.  mattjp88@nycap.rr.com

Matt :-)
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184215
An update on my password function:

function goTo(fn) {
var passwd=prompt("Please enter password","");
if (passwd=="" || passwd==null || passwd=="undefined" || passwd!="<actual password goes here>") {}
else {window.location.href = "<some obscure folder path>" + passwd + "\/" + fn}
}

This way if they enter something for a password and it doesn't match...the path to the capstone.html file will NOT be revealed.

I think that just about covers that part of it.
0
 
LVL 19

Expert Comment

by:webwoman
ID: 8184220
What are you trying to do?
You never call the function in the js file.
You have an extra </script> tag.
Your link isn't valid, it uses a javascript you don't define and the syntax is wrong (and it's completely unnecessary).
I doubt all that crap at the bottom isn't generated by GeoCities, because it's closing applets, tables, and divs that never get opened. Some of it is, I'm sure, but not ALL -- I get errors in IE, and it will open in NN6, but the GeoCities links don't work. So I'm pretty sure that junk at the bottom isn't all Geocities.
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184224
Matt:

A very generous offer.

Can you send me the script and I will supply my own path and password?

For the purposes of your script, let's say the password is "hippo" and the path is "hungryhungry"
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184230
webwoman:

Several other sources are getting to the page just fine.

I wish I knew what to tell you about the problems you are experiencing!!

Tom
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184238
The HTML pages do NOT have all of that JUNK at the bottom when I upload them.


Geocities is adding that stuff in.

Notice it says

><!-- text below generated by server. PLEASE REMOVE --

at the beginning.  It is not me doing this:

><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184245
><!-- text below generated by server. PLEASE REMOVE --


said "server" belongs to Geocities.
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184246
knowlton,

Please check your email.  I have sent you the method I used to get to your "protected" file.

bvinson
0
 

Expert Comment

by:modulo
ID: 8184249
Hi all,

This Q is in the "grey" area as far as I can determine according to the EE memberagreement.

It can be seen as testing, but also as the not allowed hacking.

I'll mail the link to our site admin and keep "an eye" on this Q.

modulo

Community Support Moderator
Experts Exchange
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184262
modulo:

Even if the page is being hosted on my free Geocities account and I am purposefully saying "please hack this page"?

I really don't see the harm here.

BUT

I don't want to cause trouble, either.

Let me know,

Tom
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184275
modulo,

I completely understand.  However since I am in no way qualified to be a hacker and I was able to get in, then I think this one really should be considered a test.  ;)

I am in firm support of EE in trying to disuade hackers - or at least not provide a forum for them to further their skills, so any decision reached by EE on this is fine by me.

bvinson
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184298
Aren't the best Security Experts actually of the "hacker" mindset or inclination?

To defend against them you have to know what they will try, or try to anticipate what they will try, correct?  You have to "get inside their heads" to provide good security.

I think EE is the perfect forum for this.

I will take answers offline if you don't want them posted here:

tom@thebuyersfund.com
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184306
bvinson:

Your e-mail has not arrived yet.

I am interested to find out what you did.

Tom
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184308
Tom,

Have you looked at my solution?

bvinson
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184318
bvinson:

I just refreshed my e-mail and your solution has not arrived yet.

Tom
0
 

Expert Comment

by:modulo
ID: 8184321
Hi Tom,

Having posted over 400 questions here, I do believe you on your word.
That's also why I didn't post (as I would do on a hack question) that the Q is to be deleted.

Never the less I posted to make sure we're all aware of the danger. Often it's enough just to realise that.

Just consider this thought:
A hammer is a regular tool, but also a deadly weapon !

modulo

Community Support Moderator
Experts Exchange
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 8184325
>>>I really don't see the harm here.

I asked for a mod to look at it because of where it can lead.  I can understand your need for testing, but having this on the site can encourage others to do the same thing and there is a danger of serious hacking methods being posted.  

Everyday questions have to be removed from the site because they are posted by individuals looking for hacks.  I am not questioning your integrity, I just don't want to see the boundaries get blurred.  I hope you understand, that I asked for review for that reason, not because I think there is any malicious intent.

Cd&
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184328
I sent it to the email in your profile first, but have now sent it to tom@thebuyersfund.com

bvinson
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184357
Just as a funny/interesting aside here...I think its ironic that the dispute over whether this post should be allowed on EE when the site in question concerns business ethics.  ;)

bvinson
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184366
COBOLdinosaur:

I do see your point.  I certainly don't want to propogate questions such as "10 ways to hack a web page"

bvinson has actually been very discreet in showing me the way he actually found my password (which he did do).

I will not reveal how bvinson did it here.  If anyone wants to know, I guess they can ask bvinson for his e-mail address and see what he says.

Thanks,

Tom
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184380
bvinson:

I totally missed the irony until you pointed it out just now...and you are so correct...I died laughing when I read your posting just now....so funny!!!!

Yeah...my last class before I graduate from college is a business ethics class, lol.  The protected page is our "Group" page to organize our info, etc.

I am glad you are the ethical sort, bvinson (I hope).

Tom
0
 
LVL 6

Accepted Solution

by:
bvinson earned 500 total points
ID: 8184389
Just to head off an influx of emails.  Don't email me for this solution.  ;)

The page owner asked a question.  It was answered and I won't share the answer with anyone else.

Thanks.
bvinson
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184403
Probably for the best.

This will hopefully keep us out of trouble with the EE staff.  :)

Thanks again, everyone!!!!

Tom
0
 
LVL 6

Expert Comment

by:bvinson
ID: 8184417
Don't forget to accept an answer.

bvinson
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184448
Excellent job everyone.

I wish there was a way to "split" the points for this question.  A few other people have been super helpful.

I guess I can do a new "Question" to give points to some of the other Experts who have posted here, like Matt.

Tom
0
 
LVL 6

Expert Comment

by:mattjp88
ID: 8184457
the path to the file and the password is encrypted so i would ned to encrypt them and them insert them into the script just e-mail them to me

mattjp88@nycap.rr.com

matt :-)
0
 
LVL 6

Expert Comment

by:mattjp88
ID: 8184468
i will still give you the script if you want it?
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184476
Matt:

I think I will think about what you are asking me to do some more.

The web page is super super simplistic...not worth protecting beyond what I have already done.  With the Geocities FREE account I think I have done the best I can do for now.

I'll let you know if I change my mind.

50 points for your trouble are available at:

http://www.experts-exchange.com/Web/Web_Languages/HTML/Q_20559230.html



Tom
0
 
LVL 5

Author Comment

by:Tom Knowlton
ID: 8184481
Matt:

Send me the script if it is no bother.

Tom
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question