Please hack my app

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi List,

As this subject may start you wondering what the hell I'm thinking, let me
clearify:

I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12
months or so. It facilitates storage of DNA mutations and the
corresponding patient data. Because patient data is involved, privacy is
very important.
Now of course I read lots of pages on SQL injection and whatnot, and I
strongly believe my application is protected from this kind of abuse.
However, believing is not enough. I've had some comments in the past about
security (previous version of the software) and although I didn't agree to
the critic, I want to be able to say the new app went though various forms
of attacks. This month, I want to release 2.0-alpha-01...

*** THIS IS NOT ABOUT HACKING THE SERVER ***
But about getting in the application when you're not allowed to!

If you feel like helping me out, it's located at
http://chromium.liacs.nl/LOVDv.2.0-dev/

1) Please try to get in. There's one account in the system, a database
administrator, capable of doing anything. If you get in, you can easily
create a new user using the setup tab. This will be the prove of you
breaking my security rules.

2) Can you manage to view unpublic data? Using the Variants tab, you
can see there is currently one entry in the database (with two mutations).
This entry has a hidden column, called 'Patient ID'. There is a
text-string in that column. If you can tell me what that string is, you
win :)

3) Feel free to register as a submitter to see if that gives you any
rights that you shouldn't have. A submitter is only capable of adding new
data to the database (Submit tab), but that data will not be published
immediately.

4) After a while, I will release login details of a curator account. This
user is allowed to see non-public data and handle the specific gene, but
NOT create new users or the like.


If you have any questions, please ask. Thank you in advance for using your
expertise for the good cause :)

Regards,

Ivo

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux