Posted: 07-01-2015 07:28 AM » Editted: 07-01-2015 07:31 AM |
|
So this morning when i got the Report from the Nightly Security test that is run on FurrTrax by a third party, they sent me a panicked E-Mail saying there was a severe SQL Injection exploit on the homepage that was confirmed to be allowing direct writes into the database server and possibly reads as well. And that i needed to contact them at once to find out the details to the vulnerability.
I read over the brief report in the E-Mail they sent and found they were noting it was related to the (Alternate) meta tag which helps Google know where to find the Mobile Friendly version of the homepage, and other pertinent pages like mobile profiles, etc....
When all is said and done what they termed as a severe exploit and panicked over turned out to be a completely harmless and un-exploitable url carryover, in which some completely inept or half asleep analyst fell out of his chair when he saw and set of the red alert over nothing.
IF you add exploit code a certain way, the alternate tag was linking you to the mobile site, along with including the exploit code, However the page on the other end, immediatly blocked you and even said, you've been blocked because there is bad stuff in your link, in more technical terms.
I had a interesting discussion with them and even showed them the snippets of code to prove its completely secure and their Level 2 guy educated the lower guy in how not to make the same mistake again.
Best part was untill Level 2 got involved the lackey was telling me i didnt know what i was talking about and that he was the expert and he knew it was a gaping hole. Turns out the gaping hole was in his brain.
uhhhhhhhhhh..........
Editted by Admin DarkXander
|