- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
the page test.html call urchinTracker() from http://www.google-analytics.com/urchin.js Javascript is Greek to me, so I have no idea what it does. Probably just keeps track of how many people have hacked. :) I tried to submit their form, but it was broken. I wonder who wrote it.
Admin
It's not really a password, just whatever you put in with ".html" at the end. If you type the word "warning" into that field, you'll get the same page you're on.
Admin
Why wouldn't you tell the clients and save them some money. And why would you tell
the scaming company. Just seems childish and stupid. Sorry I'm responding in a mean way
but it just doesn't make sense to be that heartless.
Admin
Your sales rep sucked. What he said, did, and sent made your business seem like a scam.
If the author is guilty of slander then so are all your clients he called to get their honest opinion of your services.
You should look in your client list and find some competent web designers.
Admin
Located in Florida eh? Florida is the "right-to-scam" state, isn't it?
Admin
http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx
Holy crap, did you see the smear campaign they waged against the responder? LOL
Its funny that they had to post 7 replies to try and discredit the answerer, and even funnier that they say things like "grow up"!
Admin
Thanks to the wonderful person who caught this flaw. I co-own Professional Security Services Inc., and our business information was kindly displayed to the world via the hole in this so called 'legitimate' business, that we've never heard of (page 4). Besides that, no harm done on our part, and if anything came from it, it was more advertising. A scary way of doing it, but we prefer to maintain a positive attitude. Again thanks to the whistle blower, those who maintain this site, and all hackers that enjoy to knock companies off their high horse, before the bad guys actually get the information.
Admin
http://funnyhack.blogspot.com
Here you can see some funny hack tips and tricks/....
Admin
You've.. GOT to be kidding me! They still haven't learned, apparently. Their only sense of security heavily relies on relative obscurity. It didn't take much skill to break through their current "wall of security" today, either.
I just went to their front page, http://www.federalsuppliers.com/ and clicked on "Agent Login" which lead me to http://www.federalsuppliers.com/component/option,com_wrapper/Itemid,51/lang,english/. Just clicking "Verify" without entering a password showed me that they were putting the login form itself inside an iframe -> http://www.federalsuppliers.com/agent_login.html. The source of this page shows the following snippet just around the login form code portion:
Admin
Password is still in the page, but now its called pass_form. Try hitting this page and using the value of pass_form.
Wow... these guys are bright.
Admin
Dang... Kim André Akerø beat me to it... sorry for the dupe post
Admin
Even after a month... they STILL aren't getting why their security sucks... :\
Admin
This is great - I like how you begin with telling us about your kids and how your feelings are hurt, etc. etc. It is, after all, OK to scam money out of people if you have some kids. I am sure they are all millionaire fatcat bachelors with no dependents. No small business run by a family barely getting by, investing a large portion of their savings in a listing in a database that gets them nothing, will end up being destroyed by these hard sell tactics.
Also, accessing a publicly available web page is, last I checked, not illegal. You gave out the password freely, to the public, no 'hacking' involved. Viewing source is hacking in the same way that window shopping is armed robbery. And where is the comment that is 'not truthful'? The statement that he called some of the clients and they were not satisfied? Are you saying every one of your clients gets showered in federal contracts? And slander? again, where is the untrue comment? The author says he thinks this is a scam. That is an opinion. Are you saying he doesn't think it is a scam, and is lying about that opinion? Wouldn't that be slandering himself, not the company? On the plus side, this is one of the funnier things I have read today, so thank you for that. Keep up the good work.
Admin
really impressive they do not seem to get it.
If I had money like shit (sounds like) and had a technical problem (looks like), I'd call somebody to help me, be it for money, and be it somebody from the directory I hold.
Admin
They've finally fixed it. Now it's top of the line security.
<!-- // **** You WILL NOT get access without a valid password **** var suffix = ".html" // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Enter Password: "; var pass_form = "agents08-dsp"; function go_there() { location.href = document.pass_form.pass.value + suffix; } document.write('<form name="pass_form" onSubmit="go_there();return false">' + pass_msg + '<input type="password" name="pass" size="20" value="">' + ' <input type="button" value="Verify" onClick="go_there()"></form>'); // -->Admin
Lammer:"Man, I got 5 kids to feed..." So called hacker:"I thought you said you had 4." Lammer:"Gimme your credit cards."
The "So-Called-Hacker" checked with your customers. You can scam the gov't quite easy-like. My Father did it for 8 years. If this guy is telling the truth, i'll eat my hat.
Captcha: Erat. Doushenozzles are e-rats. Doushenozzles like this guy.
Admin
What's with the title of the page? "Agents Government Work Securing Federal State GSA Contracts Listing Federal Suppliers Guide"
Admin
You don't even need a password anymore to get to the agent page.
This link goes straight to it! -http://agents.federalsuppliers.com/target.htm
They also changed the login method. The password inputed is the actual page name. They add the suffix .html to the end of the password to redirect to a page to open the link above!
Admin
These guys are so low budget, it's unbelievable.
They changed their "secure" login page to an IFRAME and now you don't even have to know a password imbedded in JS - you just have to piece together a url:
<!-- // **** You WILL NOT get access without a valid password **** var suffix = ".html" // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Enter Password: "; var pass_form = "agents08-dsp"; function go_there() { location.href = document.pass_form.pass.value + suffix; } document.write('<form name="pass_form" onSubmit="go_there();return false">' + pass_msg + '<input type="password" name="pass" size="20" value="">' + ' <input type="button" value="Verify" onClick="go_there()"></form>'); // -->Despite the scary commented warning to all of us "hackers", you do indeed gain access with this url:
http://www.federalsuppliers.com/agents08-dsp.html
Presto! You're greeted with a warm-feeling "You have been authenticated!" reward message for getting in - and then you may browse the horribly formatted list beyond this golden gate.
Apparently, they spend so little on IT (as if you couldn't tell from the security), that they roll out updates with a double KO combo of MicroVision WebExpress and Word's "Save as HTML" function, (from MicroVision's website) "Now anyone can have a quality web page without spending a lot of time or money." Now, why should companies spend good money to list when federal suppliers definitely doesn't want to spend the money to keep it up properly?
For kicks check the source to find author names like Donna DeBoer and Customer.
Admin
Been changed again, dangit it took me a little while to work out the 2048bit RSA cypher this time....
Admin
http://agents.federalsuppliers.com/target.htm
Look ma, no password!
Admin
This has been going on for months. You'd think they'd just hire somebody that knew something about Web security and end this. Idiots.
Admin
23rd April and the thing is still got a javascript password.
Even a complete novice would have been able to find an online tutorial on how to do basic server side password verification by now.
that is assuming that their hosting account allows for a server side script. (most of the free ones dont).
Admin
I'm tempted to offer to secure their site for a nominal fee. Say, about $10,000. Best five minutes of work I'd ever do. ;-)
Admin
Wow. Just... wow. You know, people could get away with javascript passwords... in 1998. Hell, you could even obfuscate the password using javascript or simply secure it using .htaccess, but no. They are complete and utter morons.
I just ran wget -r on their site. I'll write a secure version, rebrand it and make millions! Seriously, I've had this list for years. It's called yellowpages.com.
Admin
hilarious. i only read the first page because i got no time, but where he threatens you and says he tells you about his kids - lol -
death to scammers. theres a reason comcast.fl is blocked at the firewall.
Admin
if you want to take the easy copy and paste approach instead of using a database (you make millions, i bet! and you can't even afford a decent developer?)
<? if(isset($_GET['auth']) && $_GET['auth'] == "pazzwurdl0lz123"){ include("shitty_catalog.html"); }else{ die("ERRAR INVALID PAZZWURD!!!!!1"); } ?>login.php?auth=pazzwurdl0lz123
hey, at least nobody will be able to see your password WITH THE CLICK OF TWO FUCKING BUTTONS.
View->Page Source. THAT IS ALL IT TAKES. Why can't you get it?
Admin
http://en.wikipedia.org/wiki/Honeypot_%28computing%29
Admin
Actually, the password need not be in the iframe anymore, but they are putting it!!! There are actually two things called pass_form (a variable and a form field). The variable is unused, but they still send it and it has the password in clear!
Admin
Honeypot!? are you kidding me? a honeypot for people who know how to view source...yeh thats gonna attract all the 1337 eastern european blackhats.
Admin
well, it's been a while since the author first "hacked" their "secure area", but they have yet to rectify the situation.
the only explanation i can put forward is that they honestly think that the people posting on this forum are a bunch of hackers. hence, they probably don't feel it's worth spending money getting a real website made, since normal, non-hacker types won't be able to "hack" in, and there are very few "hackers" out there who know how to do this type of thing.
godspeed, fsg, godspeed.
...that name reminds me of a food preservative.
Admin
I can just see them for there next security step is to disable right click. hahahaha
Admin
*internets
Admin
Perhaps someone should report them to the Better Business Bureau or something. This is absurd. Somebody needs to convince them that they need REAL security.
Admin
New website, new poll: http://www.federalsuppliers.com/
Sadly their poll has trouble "remembering" ip addresses ...
Admin
It would seem that they finally got a clue and set it up correctly. The Agent Login page now goes to a page that use's Joomla's PHP-based login system (I believe). Which is good, because now maybe they can will actually realize that one login for everybody is really a bad idea... Glad to see a happy ending to this.
Now if we can just get them to start doing what they advertise, per the comments of other people who have "used" the "service" and didn't get anything out of it...
Admin
Damn, they changed it to php. It looks like they need a CAPTCHA on their polls, or at least an IP recorder.
Direct Marketing - Email 1337 84%
Combination of two or more of the above 138 8.7%
;)
Admin
This is absolutely hilarious. These people are completely out of their mind and don't know a thing about security. As if JavaScript is the only thing that exists these days. For God's sake, use PHP or CGI!!!
Admin
HAHAHAHA.... There are absolutely no legal lines to be crossed here. He is giving the complete truth about what happened, and even I, who barely knows anything about security, can tell you that that is the absolute stupidest way to secure your site. I do not believe that this is not a scam, and am looking into taking legal action on behalf of all the people who you have "scammed" (the post even gives real examples).
Admin
Do you really want to remain hidden from GOOGLE? .Crawlers always try to get deeper into your web sites. Google has recently decided to let it’s Googlebot crawl through forms in an effort to index the “Deep Web”. Googlebot is about to start submitting forms in an effort to get to your website’s deeper data.
want to read the whole story http://sanjevsharma.blogspot.com/2008/04/googlebot-attacks.html
Admin
Do you really want to remain hidden from GOOGLE? .Crawlers always try to get deeper into your web sites. Google has recently decided to let it’s Googlebot crawl through forms in an effort to index the “Deep Web”. Googlebot is about to start submitting forms in an effort to get to your website’s deeper data.
want to read the whole story http://sanjevsharma.blogspot.com/2008/04/googlebot-attacks.html
Admin
Hey, these guys are legit for sure! They have Segways at their head office!
http://www.federalsuppliers.com/content/view/12/26/lang,english/
See!
Admin
what is funny is they now claim SSL tranacations though their pages are not even filtered though SSL. They have mod_SSL installed on their server, but that doesn't make the connections SSL hah!
Admin
Either I missed out in grade school math classes, or something just shouts faked data to me: [image]
Admin
Either I missed out in grade school math classes, or something just shouts faked data to me: [image]
Admin
Sorry about the double post.
Btw, I found this really interesting site that lists a bunch of businesses: http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=&_q3=&_orderBy=name
Admin
Heh, Funny how they're company at http://www.federalsuppliers.com/ uses an open source content management system called Joomla http://www.joomla.org/ to build their website.
Just found that kind of funny, Taccs.
Admin
Seriously, some 13 year old could of come up with that story. What kind of company replies to a blog. Your website is nothing but text, imagery, and lies. You're just another parasite on the nationalist economy. Die.
Admin
Looks like someone did hack their site:
Main heading is "Where fuckers and qualified small businesses meet"
and in the source, it says: <!-- D.T. WAS HERE ASSHOLES! -->
I guess it was just a matter of time given their practices.
Admin
Well MR. you dont give your name have you always been a legit company or just recently have you got 1 person out of a million has actually got a job from it so . so go ahead keep ripping people off I hope you sleep well at night