|
|
|
Top Stories
|
HSBC plugs hole that exposed site directory29 Apr 2008 09:49 John Lewis Partnership site rather too open for comfort
Unauthorised usage..By Anonymous Coward
Posted Tuesday 29th April 2008 11:32 GMT
so does this explain the unauthorised usages on the missuss credit card then? No, this time its not a joke!! any other JLP card holders had similar? Err...By Tom Chiverton
Posted Tuesday 29th April 2008 11:37 GMT
 "Great if you were planning a phishing attack and wanted to get a complete site layout and set of assets" wget ? Sorry, where's the security problem?By Anonymous Coward
Posted Tuesday 29th April 2008 11:46 GMT
I'm somewhat confused. Why would `leaking' the directory structure of your site be considered a security flaw? As an analogy, one would never consider `leaking' the layout of a building as a security risk*. * Unless you are the developer of Terminal 5 and for some reason believe this information is top secret... Possibly under the assumption that no one will ever walk around the building.... buildingBy Mr Smin
Posted Tuesday 29th April 2008 12:19 GMT
leaking the layout of a building may be an asset to burglars. Live SQL InjectionBy Pink Duck
Posted Tuesday 29th April 2008 12:47 GMT
 http://www.hbeu1.hsbc.com/ukservices/branchlocator/town.asp?town=0%20OR%201=1&type= Need I say any more? @Mr SminBy Anonymous Coward
Posted Tuesday 29th April 2008 12:49 GMT
 Yes indeed, but it is security by obscurity, which we know does not work. @Pink DuckBy Anonymous Coward
Posted Tuesday 29th April 2008 14:52 GMT
I'm interested if you can change some details.... Re: Sorry, where's the security problem?By Dennis
Posted Tuesday 29th April 2008 15:05 GMT
(1) Access to directory listings of the web site can reveal pages that are not linked in. Perhaps the document with the turnover figures that will be released at noon. Perhaps ini files or server side include files with configuration or authorisation details. (2) Access to directory listings shows that their system build, configuration and testing process is flawed. If they missed and obvious thing like directory listing what else did they miss. @AC re:security by obscurityBy frymaster
Posted Tuesday 29th April 2008 15:50 GMT
depends on your definition of "work". It means any flaws are hard to find. This is a good thing. It gives you more time to find and fix flaws, and means some flaws might never be discovered by baddies at all. What it is NOT is a substiture for fixing and finding flaws. It's a barrier that will keep out rifraff and cause more determined attackers to take more time and possibly be more noticable. These are all good things. The "security by obscurity" mantra only really applies where people use attempted obfuscation INSTEAD of other methods. and in some fields (cryptography) it is much more beneficial to expose your alogrithm to scrutiny to hammer out the bugs - but you still hide your key, don't you? ;) The period for commenting on this story has finished |
Breaking Hardware News
Nvidia issued some somber news for shareholders today, revealing a financial forecast cut short due to slowing sales, a delayed ramp for new product, and a hefty payout due to faulty laptop chips.
Newsletter |
|
![[Mobile]](/Design/graphics/icons/mobile.png "The Register Mobile"){kind=icon}
