On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > Hi List, > > As this subject may start you wondering what the hell I'm thinking, let me > clearify: > > I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12 > months or so. It facilitates storage of DNA mutations and the > corresponding patient data. Because patient data is involved, privacy is > very important. > Now of course I read lots of pages on SQL injection and whatnot, and I > strongly believe my application is protected from this kind of abuse. > However, believing is not enough. I've had some comments in the past about > security (previous version of the software) and although I didn't agree to > the critic, I want to be able to say the new app went though various forms > of attacks. This month, I want to release 2.0-alpha-01... > > *** THIS IS NOT ABOUT HACKING THE SERVER *** > But about getting in the application when you're not allowed to! > > If you feel like helping me out, it's located at > http://chromium.liacs.nl/LOVDv.2.0-dev/ > > 1) Please try to get in. There's one account in the system, a database > administrator, capable of doing anything. If you get in, you can easily > create a new user using the setup tab. This will be the prove of you > breaking my security rules. > > 2) Can you manage to view unpublic data? Using the Variants tab, you > can see there is currently one entry in the database (with two mutations). > This entry has a hidden column, called 'Patient ID'. There is a > text-string in that column. If you can tell me what that string is, you > win :) > > 3) Feel free to register as a submitter to see if that gives you any > rights that you shouldn't have. A submitter is only capable of adding new > data to the database (Submit tab), but that data will not be published > immediately. > > 4) After a while, I will release login details of a curator account. This > user is allowed to see non-public data and handle the specific gene, but > NOT create new users or the like. > > > If you have any questions, please ask. Thank you in advance for using your > expertise for the good cause :) In case anyone is interested; I've created a low-level user ('untrusted') in the system. Password is equal to username. Feel free to try and do stuff you're not supposed to, like creating a new user or creating a gene. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
