As far as I can remember, Nik jumped in the Chatterbox some time ago with a story that someone "hacked" into the server he had his website on due to poorly written scripts and asked for help. Asking is -IMHO- not a bad idea, but as usual, some people have problems with this way of asking.

Nik, maybe you could post the script that you feel worried about, so we could check it and make recommendations? Even parts of the script would help, I think (of course, take out passwords and other "private" information).

That would take out the fun for some people, but I believe it's even better, cause then "we" could even spot problems that some evil h4x0r might hit by lucky guessing.

Asking others to find security problems for you by hacking into your site -- a site that you already brought to its knees once with security problems, and a site that you already know currently still has at least a couple -- is a bad idea.

Telling us there exist problems, and suggesting we might find them if we try is just asking for more trouble than you can deal with.

But even more important than that, you seem to believe that security exists through obscurity. That is to say, if the security problem is not announced, it must therefore be pretty secure. It's not. Though the dozen or so people who read your post with enough ambition to actually look at the site may or may not find the issue after casual looking, that doesn't tell you anything about what the 300 million other people on the Internet may be able to find.

Security isn't a matter of being lucky enough that people don't find the flaw. It's a matter of taking care to prevent flaws from being accessible.

• use taint mode
• sanitize your external inputs and accept only what you expect to get (numbers, strings, specific sizes, etc)
• use placeholders for SQL values
• use system(), exec() in list context
• have your design and code reviewed by a peer
• implement good audit logs and backups (update)

Can you find [flaws and vulnerabilities] by just looking at the html output?

You can find hints by looking for HTML forms and the fields they contain. If some fields look like they might hold things like database field names or email addresses, they're a natural candidate to attempt to hack. If they hold things like object IDs, people will try faking a form submit with a different object ID, just to see if they can view or modify other data.

Now please go away and stop inviting people to commit crimes. If you really want people to try and hack your site, you hire someone and give them a watertight contract, so they won't get sued by you or your hosting company. Letting someone check the code will likely be more effective, though I don't think you actually CARE about any security risks.

Do not approve the parent node.

Your question is out of line. By asking whether we can find the holes you are asking us to look at what you linked to and see if we can hack it. That's an invitation to do something illegal (for most people, I expect). I've considered your node to encourage people to not approve your node.

I would not recommend however, broadcasting your web address and the fact that you have security issues anyway. Much less a place were the level of technical achievment amoung it's users is so high. You may unwittingly be suggesting a challenge.

Cheers

You might want to see the thread CGI (in)security about cgi security.

the question is if you dont know the source code can you find securuty flaws and vulnerabilities in the cgi script?!?!?

You'd better try asking your question here, where it's the purpose...