Possible Security problem at Hosting Site

Discussion in 'other security issues & news' started by mikisu, Apr 23, 2006.

Thread Status:
Not open for further replies.
  1. mikisu

    mikisu Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    72
    Location:
    Sydney.
    Today,I inserted a signature photo at a forum, through one of the better known Host Sites.

    I then logged out

    The photo appeared correctly,at the nominated forum page.

    Accidentally,I clicked onto the sig.photo and was immediately taken back to my own image and personal browse home page, at the hosting site.

    The photo was acting like a URL.



    This then gave FULL access to my computer,when the upload browse button was pressed.

    THis has never previously happened

    I clicked a few other posters photos and sure enough,one persons photo enabled access to her host personal image page(which enabled image changes),but not into her computer.

    This is a still a breach,but hopefully access only to ones own computer can be made.

    Interestingly,the breach cannot be stopped,even by deleting the photo and the script or corrupting it.

    A rollback of the whole computer to a prior time also failed.

    It just keeps transmitting!:thumbd: :(

    Has any one any experience?

    The company wont be replying for a day or so,probably have to keep the computer shut down until its all clear-no?


    Mike

    .
     
  2. mikisu

    mikisu Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    72
    Location:
    Sydney.
    To close this sorry saga,no reply has been received from the hosting site whose name is-----(hehehe)
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    You're not making much sense to me.
    First, telling which hosting site is that would help.
    Second, to try to explain things how I see them.
    You can link to clickable thumbnails. For instance, I could upload a pic to a hosting site, then post a link here using some code like [ img ]blahahahah.jpg [ / img ]. When you clicked the pic / thumbnail, you could be taken to the hosting site with the full image. This is often done to reduce bandwidth sucking.
    If you did it from your own computer, you could be taken to your own page, with access to upload, because the cookie is stored locally on your computer. This is what I get when I try to access my own pics at my pc.
    To make sure this is indeed a breach:
    Flush your cache and delete all cookies upon upload. Then go to the site where you hotlinked to your images and click on the pic. See if you still are able to access your personal page.
    If so, then there might be a problem.
    Mrk
     
  4. mikisu

    mikisu Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    72
    Location:
    Sydney.
    Thanks for the effort,but regrettably you have not understood the situation as I tried to explain it.:D

    I am aware of course on how to enter my site with cookies enabled,without having to re register and the implications of that etc.

    I will try again.

    The scenario was that a photo was uploaded to the host site from my computer and from there the usual copy of the relevant URL was made.

    This photo was then loaded onto a public forum post quite normally.

    Upon clicking onto that fully published photo at the forum,(by accident),I was taken back to my private,secure home page at the Hosting Site,which contained all my stored photos

    As a matter of curiosity, the Hosting Site uploading Browse button was then clicked and I was back into the bowels of my own computer,with full access to ANY file .

    The horrible thought was that if I could do that,possibly anyone could.

    .

    I also tried clicking on the photo of another post(NOT MINE) at the forum,where some script was showing on the photo and sure enough,I was taken to that strangers SECURE home page on the Hosting Site which gave me full control of the strangers photos,with the usual power to delete or substitute

    I didnt go any further,thanks.

    In other words,you have posted an image on this site,which I now click.

    Lo and behold,I arrive in your own private,secure home page at your hosting

    site containing all your photos,not just the one you posted.

    It is obvious that normal access is from the users end,not from the receivers and luckily this has never happened before.

    Mike

    .
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Sounds interesting. But you do realize that reaching homepage is not the same as reaching one's computer, since one probably does not maintain a permanent tunnel to that site from one's computer.
    But the way you explain it, it does sound as if some feature got cankered, which allows outside access to private (cookie-regulated?) pages. But do check again. Clear the cache and cookies, reboot etc, reconnect so you have a different ip assigned.
    Mind telling what hosting site that was?
    Mrk
     
  6. mikisu

    mikisu Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    72
    Location:
    Sydney.
    It DEFINITELY was a security breach!! no mistake

    I would rather not reveal the Sites name,as it may have been a one off incident,but certainly will if further reports of similar incidents happen.

    It was one of the smaller sites.

    They could have at least had the courtesy to reply to my email

    The breach was closed within an hour and I have changed Host Sites.

    regards

    Mike

    .

    .
     
Loading...
Thread Status:
Not open for further replies.