Home page logo
/

basics logo Security Basics mailing list archives

Re: PHP/MySQL image gallery penetration testing
From: Cory Swanson <cory () spydertechsolutions com>
Date: Thu, 25 Oct 2007 15:44:21 -0600

Simon,

May I ask why one would be concerned with being able to download all 4
images from the site at once? You said that they rotate every day so
couldn't they just wait a day at a time and Right-Click / Save-As ? Do
these images contain important information which someone would want to
have right away?

I'm sorry but I just can't see why this would be a vulnerability unless
you were running an image hosting site like imagevenue.com or something
and didn't want people leeching entire galleries at once and eating
bandwidth.

Perhaps you can provide more information.

Cory

On Thu, 2007-10-25 at 18:34 +0200, Simon Jolle "sjolle" wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi security list

At our site we have 4 images on the website (rotating every day). The
webdev department doesn't allow me access to the source (additionally I
am a non-programmer)

The URL looks http://www.example.com/image.php?src=imagename.png, where
imagename.png is random generated.

What techniques can be used by a attacker to download every image? What
tools can be used to test potential vulnerabilities?

cheers
Simon

- --
actually, I think Windows Vista has done more than virtually any OS
release to promote the use of Linux (Slashdot comment, 4. Oct 07)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHIMWEEMN/lNE/wrwRAubcAJ0UXU34ca1ijp4J5fNrgsCsDZwg7QCgh9dd
WSbDPq6dZpCGCDKZTsj8tiY=
=2mrF
-----END PGP SIGNATURE-----

Cory Swanson
Director - Spyder Technology
http://www.spydertechsolutions.com
Office   (208) 947-4693
Mobile  (208) 695-5110



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault