Increase the Forum's Security

[Rikudo Sennin]

It seems this Forum is still vulnerable to hacking, threads like this is an example:

http://naruto.viz.com/forum/showthread.php?t=70755

I think its about time for the Staff to increase the Security of this forum (or even the main site) before something happens.

I made a research, and performed some experiments and to my shock the Forum is vulnerable (.. What if hackers attack w/ the Officials offline?. Its gonna be a byebye for the site/forum.

Previous Experiment of Mine Result:

Spoiler:

Target Information
Target http://naruto.viz.com:80/forum/
Server banner Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.5
Operating system Unix
Web server Apache 2.x
Technologies PHP

SSL 2.0 deprecated protocol
Vulnerability description
The remote service encrypts traffic using an old deprecated protocol with known weaknesses.
Affected items
Server
The impact of this vulnerability
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

also.

Insecure crossdomain.xml
Vulnerability description
The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at http://www.example.com/crossdomain.xml).

When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files.
Affected items
Server
The impact of this vulnerability
Using an insecure cross-domain policy file could expose your site to various attacks.

Let us not take this for granted.

[Nick Tasogare]

LOLOLOLOLOLOL

/Dies from inability to breathe

[Ryuuko]

....Wow

[Rikudo Sennin]

Quote:

Originally Posted by Nick Tasogare

LOLOLOLOLOLOL

/Dies from inability to breathe

I am confused right now, anyway
is it okay for me to post the vulnerability details??

Quote:

Originally Posted by Ryuuko

....Wow

huh ?

[Blind Uchiha]

Th3r3 b3 h4x tr0uble on teh f0rum.

[TheBlackChidori]

Rest....Rest assured, the forum is safe and secure. Any past instances....have been well taken care of... >_>

[Rikudo Sennin]

Quote:

Originally Posted by Blind Uchiha

Th3r3 b3 h4x tr0uble on teh f0rum.

!(\/) 4(7l_l411j 5312!0l_l5 '130l_l7 7#!5...
(Im actually serious 'bout this)

EDIT:

Quote:

Originally Posted by TheBlackChidori

Rest....Rest assured, the forum is safe and secure. Any past instances....have been well taken care of... >_>

Well I do hope this is real.

[Nick Tasogare]

STOP IT I'M GONNA SUFFOCATE!

[Rikudo Sennin]

Quote:

Originally Posted by Nick Tasogare

STOP IT I'M GONNA SUFFOCATE!

Ok it seems you're not taking it seriously which means there is nothing to worry 'bout..so im just posting the results of my previous research since its now useless.

Spoiler:

Target Information
Target http://naruto.viz.com:80/forum/
Server banner Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.5
Operating system Unix
Web server Apache 2.x
Technologies PHP

SSL 2.0 deprecated protocol
Vulnerability description
The remote service encrypts traffic using an old deprecated protocol with known weaknesses.
Affected items
Server
The impact of this vulnerability
An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

also.

Insecure crossdomain.xml
Vulnerability description
The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at http://www.example.com/crossdomain.xml).

When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files.
Affected items
Server
The impact of this vulnerability
Using an insecure cross-domain policy file could expose your site to various attacks.

[TheBlackChidori]

Quote:

Well I do hope this is real.

100%. There is no way that an instance like what happened before, could ever happen again. The Trouble Hacker was a flaw in the system, and we repaired that flaw. It could have buried us...but it did not, for that we are stronger.

I am confident we are safe from such things.

[Nick Tasogare]

Seriously Windking, it's cool. Your vulnerability scan or whatever is just a.... How can I put this? Like a Genjutsu Trap. In actuality, the server.... It's invulnerable, impenetrable, whatever other word might fit. It's just been set up so that it will read as weak, and trick any other hackers. Don't worry dude, we're safe here.

[Vex]

I think this is worthy of consideration, my prince. What can I do to help?

[Rikudo Sennin]

Quote:

Originally Posted by Nick Tasogare

Seriously Windking, it's cool. Your vulnerability scan or whatever is just a.... How can I put this? Like a Genjutsu Trap. In actuality, the server.... It's invulnerable, impenetrable, whatever other word might fit. It's just been set up so that it will read as weak, and trick any other hackers. Don't worry dude, we're safe here.

I cracked acutenix v6.0 and did some scannings,, anyway as TBC was saying..Nothing to worry because it seems you people are stronger than those hackers..

..and im not of them now..

[TheBlackChidori]

Either way, Viz has a tech department to handle such matters.