Monitordroid-Web-Application icon indicating copy to clipboard operation
Monitordroid-Web-Application copied to clipboard

Published 20 hours ago verified publisher icon tyler124

Vulerabilities Scanning

Open belazaras opened this issue 10 years ago • 7 comments

Hello there, I hope you continue working on this project. I'd like to perform a penetration testing on it, as I've already found code that leads to SQL injections, if I craft an example in which I exploit it and then a piece of secure code, would you accept the pull request? Thanks, Nico from Argentina.

belazaras avatar Nov 09 '14 23:11 belazaras

Nico,

We would love it if you could alert us to any insecure source-code we may have, because we as developers are somewhat inexperienced when it comes to security. We would gladly accept any modifications to the source code which would make it more secure.

Thanks, Tyler Butler Monitordroid Lead Developer On 11/9/2014 6:33 PM, belazaras wrote:

Hello there, I hope you continue working on this project. I'd like to perform a penetration testing on it, as I've already found code that leads to SQL injections, if I craft an example in which I exploit it and then a piece of secure code, would you accept the pull request? Thanks, Nico from Argentina.

— Reply to this email directly or view it on GitHub https://github.com/tyler124/Monitordroid-Web-Application/issues/2.

tyler124 avatar Nov 10 '14 01:11 tyler124

Just following up, have you found anything with your penetration tests?

tyler124 avatar Nov 12 '14 18:11 tyler124

Sorry for not answering earlier, yes, not sql injection for the moment as you used PDO, right? But I did find some bugs related to not checking if the user is logged in or has a valid session, I will do a pull request as an example in one of the pages fixing it, and then you can do the same with the others =D

belazaras avatar Nov 12 '14 18:11 belazaras

Are you talking about the live commercial application hosted at http://monitordroid.com? Because there is no access control in the open source version listed here.

tyler124 avatar Nov 12 '14 18:11 tyler124

Yes, I'm talking about pages like this one, where I guess one shouldn't be able to see without logging in first: http://www.monitordroid.com/app/command.php

belazaras avatar Nov 12 '14 18:11 belazaras

Hi, are you still there? I can pull request you with an example on, say the command.php file, showing how to properly check if there is a valid session. Let me know if you're interested :D

belazaras avatar Dec 09 '14 15:12 belazaras

Hello i've just done a vulnerability scan of your live site @monitordroid.com I will email [email protected] with the full document. I found 6 High Alerts and 2 Mediums my email is [email protected]. We are a new security analysis company.

LancerLunatic avatar Oct 25 '15 18:10 LancerLunatic