44 replies to this topic

[MichaelZ]

I couldn't get you. Can you please explain?

Hi Holmes.Sherlock,

what I wanted to say is that you don't have to enter an URL necessarily manually in the address bar of the browser. You could also use your browser, log out but keep the browser open, switch to your e-mail program and klick a link in an e-mail pointing to a page. Depending on the settings of your browser a new window is created, a new register tab in the existing window is created or simply the existing window is used.

I think this bug is fixed. Can you please try it again & let me know?

yes, the bug is fixed. When you log out you will be presented index.php with the login form. Manually calling challenge.php leads again to index.php with the login form.

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

Many Greetings
MichaelZ

[Holmes.Sherlock]

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

That will be fixed tonight. Today morning, I didn't have much time left to work on as I had to hurry up for the office.

[Holmes.Sherlock]

I'm happy to see that someone has tried to find out the possibility of SQL Injection attack on our challenge site by feeding malformed strings. This is actually good & you can take it as a challenge, too.

[MichaelZ]

Hi Holmes.Sherlock,

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Many Greetings
MichaelZ

P.S. I liked ShowChallenge.php much better with Challenge_Index having also mixed case. OK, there also was an inconsistency in the old style URL: ShowChallenge was without underscore and Challenge_Index with...

[florin91]

SQLI ? What sql when this site does not use a database and it works with every username I try

Try to not enter any username and you will find an interesting bug!

[Holmes.Sherlock]

SQLI ? What sql when this site does not use a database and it works with every username I try

Sorry, I couldn't get you.

Try to not enter any username and you will find an interesting bug!

Already reported.

[Holmes.Sherlock]

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Already planned.

[Holmes.Sherlock]

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

Can you please give it a try now? And try it both enabling & disabling Javascript.

[joseph.paglia]

Ask to change around the outcome of the colour choice, ie pick a black pebble and she need not marry him and her father's debt would still be forgiven. The probability would remain the same for a fair choice so why would the moneylender object?

[pscEx]

That's real creativity!

A single person with creativity can beat a whole army of people with excellent knowledge.

Peter

[pscEx]

@joseph.paglia: You should think about joining the Team Reboot.

Peter

[joseph.paglia]

@joseph.paglia: You should think about joining the Team Reboot.

Peter

Well thank you Peter, I'll think about that.

[Holmes.Sherlock]

Ask to change around the outcome of the colour choice, ie pick a black pebble and she need not marry him and her father's debt would still be forgiven. The probability would remain the same for a fair choice so why would the moneylender object?

Welcome to the board. But dear, in future, before posting on any thread, please have a look at the topic title.

[MichaelZ]

Can you please give it a try now? And try it both enabling & disabling Javascript.

Hi Holmes.Sherlock,

a missing user name will now be detected.
When Javascript is enabled an info message is shown. When Javascript is disabled nothing happens. Also nothing happens when an user name is given and Javascript is disabled.

Many Greetings
MichaelZ

[Holmes.Sherlock]

Hi Holmes.Sherlock,
a missing user name will now be detected.
When Javascript is enabled an info message is shown. When Javascript is disabled nothing happens. Also nothing happens when an user name is given and Javascript is disabled.

So in any case, you can't enter a NULL from the UI provided. Now, if you or anyone have time & energy, he/she can alter the HTML & try to bypass the frontend to feed NULL directly.

[Holmes.Sherlock]

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Done. Can you please check it & report back?

[MichaelZ]

Done. Can you please check it & report back?

Hi Holmes.Sherlock,

it works (tested with IE9 and only session cookies enabled).

Many Greetings
MichaelZ

[Holmes.Sherlock]

While solving a challenge, please do login with your reboot username so that when we'll collect stats at the end of the month, we can identify & announce the the names of the member who has successfully solved the challenge or solved the challenge first etc.

@Challenge Starters
Please do not directly reply to questions like "Is this key correct?" or similar. Use the challenge thread to guide or distribute clues to people. But, when someone wants to verify their answer, please redirect them to the respective page on the challenge site. Because, many of them may not even know the presence of challenge site till now. This will help to achieve the point mentioned above.

[Holmes.Sherlock]

Some of may already have faced login issues while trying to get into the challenge site. This is because of a bug in their database implementation. Please refrain from using the site until it is fixed.

[Holmes.Sherlock]

I think the site can be accessed again. In case you face issue like this again, please let me know reporting on this thread.