The Revolution of 9Dragons - Update Patch 95 - Support for Gamer

Quote:

Originally Posted by xtJamie The website is not secure. Every register_username_name and register_password_name are sent plaintext so anyone listening to the network or MITM could possibly see every username and password being sent. Example of this: [Only registered and activated users can see links. Click Here To Register...] The passwords are being submitted via GET and not POST. The GET method will contain the password as a parameter within the URL which means they could be seen in the headers. The forms themselves provide no CSFR security meaning anyone with CSFR understanding can elevate attacks via the applications The HTTP methods are not disabled meaning you could exploit the options methods on the web server. The login is open to brute force attack: GET /?login_password_name=gdjVmXCf&login_username_name= EUBNHBnB The SSL is 2.0 which is outdated, insecure and deprecated - exploitation available using CRB. The conf directory is exposed The custom 404 allows the attacker to view information on the web server. [Only registered and activated users can see links. Click Here To Register...] was detected when launching your ndlogin because it was opening a number of large range udp/tcp ports - something it shouldn't be doing. Also can you please explain the command prompt loading for a single second and spawning a process which was 'hidden'? "There was no one radish nothing here! By the way, your IP stored in the system:, careful nhoa !! Where touch nhoa wrong here !! :)" Storing someone's IP address in the system because you're able to use any packet analysis tool to find the IP addresses of the servers - cute.