Jump to content











Photo

Team Reboot Challenge Site


  • Please log in to reply
44 replies to this topic

#26 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 330 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 05 September 2011 - 08:30 AM

I couldn't get you. Can you please explain?


Hi Holmes.Sherlock,

what I wanted to say is that you don't have to enter an URL necessarily manually in the address bar of the browser. You could also use your browser, log out but keep the browser open, switch to your e-mail program and klick a link in an e-mail pointing to a page. Depending on the settings of your browser a new window is created, a new register tab in the existing window is created or simply the existing window is used.

I think this bug is fixed. Can you please try it again & let me know?


yes, the bug is fixed. When you log out you will be presented index.php with the login form. Manually calling challenge.php leads again to index.php with the login form.

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

Many Greetings
MichaelZ

#27 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 08:35 AM

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

That will be fixed tonight. Today morning, I didn't have much time left to work on as I had to hurry up for the office.

#28 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 05:05 PM

I'm happy to see that someone has tried to find out the possibility of SQL Injection attack on our challenge site by feeding malformed strings. This is actually good & you can take it as a challenge, too.

#29 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 330 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 05 September 2011 - 05:11 PM

Hi Holmes.Sherlock,

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Many Greetings
MichaelZ

P.S. I liked ShowChallenge.php much better with Challenge_Index having also mixed case. OK, there also was an inconsistency in the old style URL: ShowChallenge was without underscore and Challenge_Index with...

#30 florin91

florin91

    Frequent Member

  • Team Reboot
  • 174 posts
  •  
    European Union

Posted 05 September 2011 - 05:30 PM

SQLI ? What sql when this site does not use a database and it works with every username I try :)

Try to not enter any username and you will find an interesting bug!

#31 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 05:32 PM

SQLI ? What sql when this site does not use a database and it works with every username I try :)

Sorry, I couldn't get you.

Try to not enter any username and you will find an interesting bug!

Already reported.

#32 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 05:33 PM

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Already planned. :yahoo:

#33 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 07:32 PM

What remains is the problem (security hole?) after entering no user name (later after attaching the user database probably same problem with invalid credentials?). I know, it's not quite fair. But doable...
You try to login without entering a username. You get a page with an error message. Then you manually call challenges.php and you get the list of challenges. I guess it shouldn't be possible to see the page without being logged on.

Can you please give it a try now? And try it both enabling & disabling Javascript.

#34 joseph.paglia

joseph.paglia
  • Members
  • 3 posts
  •  
    United Kingdom

Posted 05 September 2011 - 07:40 PM

Ask to change around the outcome of the colour choice, ie pick a black pebble and she need not marry him and her father's debt would still be forgiven. The probability would remain the same for a fair choice so why would the moneylender object?

#35 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,401 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 05 September 2011 - 07:47 PM

That's real creativity! :1st:

A single person with creativity can beat a whole army of people with excellent knowledge.


Peter
  • joseph.paglia likes this

#36 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,401 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 05 September 2011 - 07:59 PM

@joseph.paglia: You should think about joining the Team Reboot.

Peter

#37 joseph.paglia

joseph.paglia
  • Members
  • 3 posts
  •  
    United Kingdom

Posted 05 September 2011 - 08:06 PM

@joseph.paglia: You should think about joining the Team Reboot.

Peter


Well thank you Peter, I'll think about that.

#38 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 05 September 2011 - 11:58 PM

Ask to change around the outcome of the colour choice, ie pick a black pebble and she need not marry him and her father's debt would still be forgiven. The probability would remain the same for a fair choice so why would the moneylender object?

Welcome to the board. But dear, in future, before posting on any thread, please have a look at the topic title.

#39 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 330 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 06 September 2011 - 06:46 AM

Can you please give it a try now? And try it both enabling & disabling Javascript.

Hi Holmes.Sherlock,

a missing user name will now be detected.
When Javascript is enabled an info message is shown. When Javascript is disabled nothing happens. Also nothing happens when an user name is given and Javascript is disabled.

Many Greetings
MichaelZ

#40 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 06 September 2011 - 11:21 AM

Hi Holmes.Sherlock,
a missing user name will now be detected.
When Javascript is enabled an info message is shown. When Javascript is disabled nothing happens. Also nothing happens when an user name is given and Javascript is disabled.

So in any case, you can't enter a NULL from the UI provided. Now, if you or anyone have time & energy, he/she can alter the HTML & try to bypass the frontend to feed NULL directly.

#41 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 06 September 2011 - 06:39 PM

do you plan to open the specific challenge page when someone opens a link such as
http://challenge.99k...llenge_Index=15
and she/he passed the login page successfully?

Done. Can you please check it & report back?

#42 MichaelZ

MichaelZ

    Frequent Member

  • Team Reboot
  • 330 posts
  • Location:Braunschweig, Germany
  •  
    Germany

Posted 06 September 2011 - 06:46 PM

Done. Can you please check it & report back?

Hi Holmes.Sherlock,

it works :thumbsup: :thumbsup: (tested with IE9 and only session cookies enabled).

Many Greetings
MichaelZ

#43 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 08 September 2011 - 01:03 AM

While solving a challenge, please do login with your reboot username so that when we'll collect stats at the end of the month, we can identify & announce the the names of the member who has successfully solved the challenge or solved the challenge first etc.

@Challenge Starters
Please do not directly reply to questions like "Is this key correct?" or similar. Use the challenge thread to guide or distribute clues to people. But, when someone wants to verify their answer, please redirect them to the respective page on the challenge site. Because, many of them may not even know the presence of challenge site till now. This will help to achieve the point mentioned above.

#44 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 09 September 2011 - 01:03 AM

Some of may already have faced login issues while trying to get into the challenge site. This is because of a bug in their database implementation. Please refrain from using the site until it is fixed.

#45 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 09 September 2011 - 01:54 AM

I think the site can be accessed again. In case you face issue like this again, please let me know reporting on this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users