• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

break into my web page

The points are yours if you can figure out, or bypass the password:

http://www.geocities.com/tomandsyndi/ethicslogin.html

I just want to check if the page is as secure as I think.

Don't worry...it's MY account.

Tom

0
Tom Knowlton
Asked:
Tom Knowlton
  • 26
  • 8
  • 4
  • +5
1 Solution
 
Tom KnowltonWeb developerAuthor Commented:
Oh, and please tell me how you did it.

You can tell me "offline" if you want to:

tom@thebuyersfund.com

Thanks,

Tom
0
 
cubrovicCommented:
I get an (js error) reading your page

Did you see how  your source look like
A realy bad html
what was happening ?!


<html>
<head>
<title>Capstone - Login</title>
<script src="pw.js" type="text/javascript"></script>
</script>
</head>
<body>
<a href="javascript:goTo('capstone.html')">Ethics Group Sign In</a>
</body>
</html><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>
0
 
Tom KnowltonWeb developerAuthor Commented:
Hmmmm...that's odd.

Try it one more time...should get no errors.  I mean, I don't get any errors:

http://www.geocities.com/tomandsyndi/ethicslogin.html


Let me know,

Tom
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Tom KnowltonWeb developerAuthor Commented:
Geocities adds in all of this GARBAGE:


><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>


I have no control over that.
0
 
cubrovicCommented:
Same errors occured

Line 10: object expected

and then

Line 1: Syntax Error (probably just because of the first)

and same (very bad) html in view source like i send it before.


Some of those scripts keep generate error (in ie6.0)
0
 
Tom KnowltonWeb developerAuthor Commented:
Don't know what to tell you...works fine under my IE

Tom
0
 
Tom KnowltonWeb developerAuthor Commented:
To be fair:

I am getting errors, but they are NOT preventing me from loggin in or anything:

Line:  2
Char:  29
Error:  Syntax error
Code:  0
URL:  htpp://www.geocities.com/tomandsyndi/ethicslogin.html


Here is the function in the pw.js file:

function goTo(fn) {
window.location.href = "<path to folder not revealed, of course>" + prompt("enter password")+ "" +"\/" + fn
}
0
 
Victor_RCommented:
Does the capstone.html page actually exist? I mean, if we do manage to break in, will we still get a Yahoo file not found??
0
 
cubrovicCommented:
OK this is pretty secure becuse i can only gues where it is.(And you depends on your server safety ofcourse)

You need also to set your meta data in your protected html something like

<meta name="robots" content="no-index" />

(I,m not sure is this a correct syntax)
This is to avoid crawlers to register your page (cause you dont want to)
Other way your protected page may appeared on the google or geocities search fascility
0
 
Tom KnowltonWeb developerAuthor Commented:
Yes, the capstone.hmtl file actually exists.

Not much to look at when you break in...names and phone numbers of people in my Study Group.
0
 
Tom KnowltonWeb developerAuthor Commented:
cubrovic:

Yeah, I'll add in that meta-data info next chance I get.

Thanks,

Tom
0
 
cubrovicCommented:
Use prompt like this

prompt("enter password","")

where "" is default value
to avoid undefined default value that will be set
0
 
Tom KnowltonWeb developerAuthor Commented:
That has been corrected.

Oh oh....big problem.

Notice what happens when you leave the password blank and hit OK or Cancel!!!!!!  It basically gives it away.

Who ever can confirm this and tell me how to avoid it will get the points.
0
 
Tom KnowltonWeb developerAuthor Commented:
Well, I guess you STILL don't really know what to put in there...but I would still like to prevent this from happening.
0
 
mattjp88Commented:
change ur .js file to:

function goTo(fn) {
var passwd=prompt("Please enter password","");
if (passwd=="" || passwd==null || passwd=="undefined") {}
else {window.location.href = "123_999_547_12_ABC" + passwd + "9" +"\/" + fn}
}

this will only run the script if there is text entered.

Matt :-)
0
 
Tom KnowltonWeb developerAuthor Commented:
Matt:

That works AWESOME!!!!

Thanks!!!!

Tom


If nobody is able to break-in in the next day or two I guess I will award the points to Matt.
0
 
Tom KnowltonWeb developerAuthor Commented:
In incorrect password STILL reveals the obscure folder path, however.

I'll think I an correct that in the function as well...
0
 
bvinsonCommented:
I'm in.

I entered your password.  I'll tell you how in email...

bvinson
0
 
mattjp88Commented:
i have a very good password protection script.  if you want to e-mail me the password and path to the file i will make it for ya.  mattjp88@nycap.rr.com

Matt :-)
0
 
Tom KnowltonWeb developerAuthor Commented:
An update on my password function:

function goTo(fn) {
var passwd=prompt("Please enter password","");
if (passwd=="" || passwd==null || passwd=="undefined" || passwd!="<actual password goes here>") {}
else {window.location.href = "<some obscure folder path>" + passwd + "\/" + fn}
}

This way if they enter something for a password and it doesn't match...the path to the capstone.html file will NOT be revealed.

I think that just about covers that part of it.
0
 
webwomanCommented:
What are you trying to do?
You never call the function in the js file.
You have an extra </script> tag.
Your link isn't valid, it uses a javascript you don't define and the syntax is wrong (and it's completely unnecessary).
I doubt all that crap at the bottom isn't generated by GeoCities, because it's closing applets, tables, and divs that never get opened. Some of it is, I'm sure, but not ALL -- I get errors in IE, and it will open in NN6, but the GeoCities links don't work. So I'm pretty sure that junk at the bottom isn't all Geocities.
0
 
Tom KnowltonWeb developerAuthor Commented:
Matt:

A very generous offer.

Can you send me the script and I will supply my own path and password?

For the purposes of your script, let's say the password is "hippo" and the path is "hungryhungry"
0
 
Tom KnowltonWeb developerAuthor Commented:
webwoman:

Several other sources are getting to the page just fine.

I wish I knew what to tell you about the problems you are experiencing!!

Tom
0
 
Tom KnowltonWeb developerAuthor Commented:
The HTML pages do NOT have all of that JUNK at the bottom when I upload them.


Geocities is adding that stuff in.

Notice it says

><!-- text below generated by server. PLEASE REMOVE --

at the beginning.  It is not me doing this:

><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
<script language="JavaScript">var PUpage="76001068"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"></script><script language="JavaScript" src="http://www.geocities.com/js_source/ygIELib9.js?v3"></script><script language="JavaScript">var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001068&l=NE&b=1&t=1048279276';yviR='us';yfiEA(0);</script><script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></script><script language="JavaScript" src="http://geocities.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1048279276" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001068&t=1048279276" ALT=1 WIDTH=1 HEIGHT=1>
0
 
Tom KnowltonWeb developerAuthor Commented:
><!-- text below generated by server. PLEASE REMOVE --


said "server" belongs to Geocities.
0
 
bvinsonCommented:
knowlton,

Please check your email.  I have sent you the method I used to get to your "protected" file.

bvinson
0
 
moduloCommented:
Hi all,

This Q is in the "grey" area as far as I can determine according to the EE memberagreement.

It can be seen as testing, but also as the not allowed hacking.

I'll mail the link to our site admin and keep "an eye" on this Q.

modulo

Community Support Moderator
Experts Exchange
0
 
Tom KnowltonWeb developerAuthor Commented:
modulo:

Even if the page is being hosted on my free Geocities account and I am purposefully saying "please hack this page"?

I really don't see the harm here.

BUT

I don't want to cause trouble, either.

Let me know,

Tom
0
 
bvinsonCommented:
modulo,

I completely understand.  However since I am in no way qualified to be a hacker and I was able to get in, then I think this one really should be considered a test.  ;)

I am in firm support of EE in trying to disuade hackers - or at least not provide a forum for them to further their skills, so any decision reached by EE on this is fine by me.

bvinson
0
 
Tom KnowltonWeb developerAuthor Commented:
Aren't the best Security Experts actually of the "hacker" mindset or inclination?

To defend against them you have to know what they will try, or try to anticipate what they will try, correct?  You have to "get inside their heads" to provide good security.

I think EE is the perfect forum for this.

I will take answers offline if you don't want them posted here:

tom@thebuyersfund.com
0
 
Tom KnowltonWeb developerAuthor Commented:
bvinson:

Your e-mail has not arrived yet.

I am interested to find out what you did.

Tom
0
 
bvinsonCommented:
Tom,

Have you looked at my solution?

bvinson
0
 
Tom KnowltonWeb developerAuthor Commented:
bvinson:

I just refreshed my e-mail and your solution has not arrived yet.

Tom
0
 
moduloCommented:
Hi Tom,

Having posted over 400 questions here, I do believe you on your word.
That's also why I didn't post (as I would do on a hack question) that the Q is to be deleted.

Never the less I posted to make sure we're all aware of the danger. Often it's enough just to realise that.

Just consider this thought:
A hammer is a regular tool, but also a deadly weapon !

modulo

Community Support Moderator
Experts Exchange
0
 
COBOLdinosaurCommented:
>>>I really don't see the harm here.

I asked for a mod to look at it because of where it can lead.  I can understand your need for testing, but having this on the site can encourage others to do the same thing and there is a danger of serious hacking methods being posted.  

Everyday questions have to be removed from the site because they are posted by individuals looking for hacks.  I am not questioning your integrity, I just don't want to see the boundaries get blurred.  I hope you understand, that I asked for review for that reason, not because I think there is any malicious intent.

Cd&
0
 
bvinsonCommented:
I sent it to the email in your profile first, but have now sent it to tom@thebuyersfund.com

bvinson
0
 
bvinsonCommented:
Just as a funny/interesting aside here...I think its ironic that the dispute over whether this post should be allowed on EE when the site in question concerns business ethics.  ;)

bvinson
0
 
Tom KnowltonWeb developerAuthor Commented:
COBOLdinosaur:

I do see your point.  I certainly don't want to propogate questions such as "10 ways to hack a web page"

bvinson has actually been very discreet in showing me the way he actually found my password (which he did do).

I will not reveal how bvinson did it here.  If anyone wants to know, I guess they can ask bvinson for his e-mail address and see what he says.

Thanks,

Tom
0
 
Tom KnowltonWeb developerAuthor Commented:
bvinson:

I totally missed the irony until you pointed it out just now...and you are so correct...I died laughing when I read your posting just now....so funny!!!!

Yeah...my last class before I graduate from college is a business ethics class, lol.  The protected page is our "Group" page to organize our info, etc.

I am glad you are the ethical sort, bvinson (I hope).

Tom
0
 
bvinsonCommented:
Just to head off an influx of emails.  Don't email me for this solution.  ;)

The page owner asked a question.  It was answered and I won't share the answer with anyone else.

Thanks.
bvinson
0
 
Tom KnowltonWeb developerAuthor Commented:
Probably for the best.

This will hopefully keep us out of trouble with the EE staff.  :)

Thanks again, everyone!!!!

Tom
0
 
bvinsonCommented:
Don't forget to accept an answer.

bvinson
0
 
Tom KnowltonWeb developerAuthor Commented:
Excellent job everyone.

I wish there was a way to "split" the points for this question.  A few other people have been super helpful.

I guess I can do a new "Question" to give points to some of the other Experts who have posted here, like Matt.

Tom
0
 
mattjp88Commented:
the path to the file and the password is encrypted so i would ned to encrypt them and them insert them into the script just e-mail them to me

mattjp88@nycap.rr.com

matt :-)
0
 
mattjp88Commented:
i will still give you the script if you want it?
0
 
Tom KnowltonWeb developerAuthor Commented:
Matt:

I think I will think about what you are asking me to do some more.

The web page is super super simplistic...not worth protecting beyond what I have already done.  With the Geocities FREE account I think I have done the best I can do for now.

I'll let you know if I change my mind.

50 points for your trouble are available at:

http://www.experts-exchange.com/Web/Web_Languages/HTML/Q_20559230.html



Tom
0
 
Tom KnowltonWeb developerAuthor Commented:
Matt:

Send me the script if it is no bother.

Tom
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 26
  • 8
  • 4
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now