All righty, I could use some help.
I'm developing a system that allows creators to access
their files using a browser, so that there's no need
to futz around with ftp or rcp.
The basic framework of it seems to work ok. It's
just a set of CGI scripts running from the built-in
webserver.
However, I'm not that comfortable releasing this
yet. I got the thing to work, and I *think* that
it's able to prevent creators from reading each other's
stuff, but I'm not really that sure. It's my first
time messing around with this sort of stuff, and
I could use the help of some folks willing to try
to break stuff.
So, here's my request.
Please telnet to alcatraz.wolfpaw.net port 8000,
make a character, and choose to become a creator when asked.
Once your creator character is in place, use
your favorite browser to navigate to:
http://alcatraz.wolfpaw.net:8001/cgi/login.htmlAnd log in using that character's name and password.
You will be logged in and able to browse your
files and upload stuff, too, just using the browser.
Now, don't bother telling me how ugly you think it
is...this is a functionality test, and here comes
the good part.
What I need you to do is...break it. Break the
security, try to access and preferably even modify
other people's files. If you can, try to modify
stuff on the lib itself. Before I can feel comfortable
suggesting to people to use this system, I want to
feel relatively sure that it at least is not
trivial to circumvent.
Obviously I am not asking you to hack that server itself.
It doesn't belong to me and if you did so it would make
things unpleasant for me.
I just want help seeing how vulnerable the current
experimental version of CreWeb is to exploits.
Thanks!
-Crat