The new rtl.hr — 0wned by yours truly +
The new RTL Hrvatska website has been redesigned recently. And re-coded. It’s looking fresh and whatnot, but I’m not gonna talk about the site’s design. Well, not visual design anyway.
I’d like to talk about the importance of knowing what the f**k you’re doing if you’re getting paid to do it.
Why? Here’s why: http://www.rtl.hr/data/zyt.was.here.html
Big deal, eh? Well, here’s another gem:
total 84 drwxrwxr-x 14 trikoder trikoder 4096 Nov 13 12:23 . drwxrwxr-x 5 trikoder trikoder 4096 Sep 3 13:49 .. -rw-rw-r-- 1 trikoder trikoder 266 Nov 13 12:23 .htaccess drwxrwxr-x 17 trikoder trikoder 4096 Sep 12 17:13 _templates drwxrwxr-x 2 trikoder trikoder 4096 Sep 8 12:42 admin
...
That’s the begging of rtl.hr’s public_html directory listing in case you’re wondering. No, I don’t have FTP access. Yes, I did manage to run a remote code execution exploit. With nothing else but a web browser.
Takeaway lessons for the Trikoder crew (the guys responsible for the new site):
- disable register_globals
- keep your external libraries up to date!
Good luck and Godspeed, you’ll need it!
P.S.
The Trikoder crew has been contacted with full details on what’s wrong, how to fix it etc.
LMAOOOO
This is what happens when you pitch low :)
So many colours… makes my eyes wet
Oh dear :)