Paid Advertising
SLA.CKERS.ORG
HA.CKERS SLACKING
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on).
Revealing Facebook.com source code.
Posted by: sirdarckcat (IP Logged)
Date: August 12, 2007 02:04AM
A friend sent me this link today..
[facebooksecrets.blogspot.com]
The researcher received a "cease and desist" letter after 3 hours xD
any way..
Edited 1 time(s). Last edit at 08/12/2007 02:06AM by sirdarckcat.
[facebooksecrets.blogspot.com]
The researcher received a "cease and desist" letter after 3 hours xD
any way..
Edited 1 time(s). Last edit at 08/12/2007 02:06AM by sirdarckcat.
Re: Revealing Facebook.com source code.
Posted by: sirdarckcat (IP Logged)
Date: August 12, 2007 02:11AM
Response by Facebook team (Brandee Barker - ).
[www.techcrunch.com]
[www.techcrunch.com]
Quote:Hi Nic-
I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Thanks to you and the TC readers for helping us out on this one.
Brandee Barker
Re: Revealing Facebook.com source code.
Posted by: id (IP Logged)
Date: August 12, 2007 03:23AM
"violates several laws"
ok..in what countries, and what laws.
I love how the net works, you fuck up once and game over, cannot put the rabbit back in the hat.
-id
ok..in what countries, and what laws.
I love how the net works, you fuck up once and game over, cannot put the rabbit back in the hat.
-id
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 12, 2007 04:16AM
Haha yes exactly.
btw a quick looks learns that the code has holes in them, namely the unsanitized paths. Kinda strange also because the have a developer network where you can download code. Like this:
[stereodevelopment.com]
btw a quick looks learns that the code has holes in them, namely the unsanitized paths. Kinda strange also because the have a developer network where you can download code. Like this:
[stereodevelopment.com]
Re: Revealing Facebook.com source code.
Posted by: ash (IP Logged)
Date: August 13, 2007 05:02AM
That link Ronald, what was on it? Its been removed by facebook ;)
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 13, 2007 05:06AM
Haha that's great.
I just found it through my friend Google, so please don't send a letter to be deceased and resist ^^
Google dork: PHP_ROOT
Google dork: facebook inurl:phpt
Yah there is enough, even in Google cache.
I just found it through my friend Google, so please don't send a letter to be deceased and resist ^^
Google dork: PHP_ROOT
Google dork: facebook inurl:phpt
Yah there is enough, even in Google cache.
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 13, 2007 05:07AM
Like: [pastebin.ca]
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 13, 2007 05:47AM
Not to cause any stir, but I would suggest they take down this thttpd server also: [pe-ip002.facebook.com]
Cause it has a TON of issues: [www.google.com]
Anyway, thought it was somewhat funny.
Cause it has a TON of issues: [www.google.com]
Anyway, thought it was somewhat funny.
Re: Revealing Facebook.com source code.
Posted by: ash (IP Logged)
Date: August 13, 2007 09:30AM
404 Not Found
The requested URL '/v13/' was not found on this server.
Step ahead ;)
The requested URL '/v13/' was not found on this server.
Step ahead ;)
Re: Revealing Facebook.com source code.
Posted by: hackathology (IP Logged)
Date: August 13, 2007 09:51AM
wow, facebook seems to be very defensive. Most of the sites i visited above seems not to exist, except the facebooksecrets's blog.
[hackathology.blogspot.com]
[hackathology.blogspot.com]
Re: Revealing Facebook.com source code.
Posted by: CrYpTiC_MauleR (IP Logged)
Date: August 13, 2007 12:31PM
ash Wrote:
-------------------------------------------------------
> 404 Not Found
> The requested URL '/v13/' was not found on this
> server.
>
> Step ahead ;)
I think what Ronald was pointing out was "tarhttpd/1.0" old version. I'm surprised the error message is still being displayed though. They were quick to go after the source code issue.
________________________________________________________________________
www.crypticmauler.com
"You must be the change you wish to see in the world."
-------------------------------------------------------
> 404 Not Found
> The requested URL '/v13/' was not found on this
> server.
>
> Step ahead ;)
I think what Ronald was pointing out was "tarhttpd/1.0" old version. I'm surprised the error message is still being displayed though. They were quick to go after the source code issue.
________________________________________________________________________
www.crypticmauler.com
"You must be the change you wish to see in the world."
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 14, 2007 07:08AM
I've got the photo file which shows actual queries to a database. Ghehe... if anyone wants it, send me a PM.
Re: Revealing Facebook.com source code.
Posted by: kuza55 (IP Logged)
Date: August 14, 2007 09:16PM
ash Wrote:
-------------------------------------------------------
> Search Code has been released from facebook
>
> [facebooksecrets.blogspot.com]
> ing.html
From there:
Makes me wonder if probing $_SERVER['PHP_SELF'] elsewhere will yield any results......
-------------------------------------------------------
> Search Code has been released from facebook
>
> [facebooksecrets.blogspot.com]
> ing.html
From there:
redirect($_SERVER['PHP_SELF'].$qs);
Makes me wonder if probing $_SERVER['PHP_SELF'] elsewhere will yield any results......
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 15, 2007 06:24AM
it probably will Kuza55.
The code here could lead to abitrary file traversal in theory. Did they exit the script after this code? I can't see it online anymore.
The code here could lead to abitrary file traversal in theory. Did they exit the script after this code? I can't see it online anymore.
Re: Revealing Facebook.com source code.
Posted by: sirdarckcat (IP Logged)
Date: August 15, 2007 09:37AM
The code is still online..
or at least I can still see it, maybe it's my isp cache..
[facebooksecrets.blogspot.com]
I've sent you the code via PM.
Greetz!!
or at least I can still see it, maybe it's my isp cache..
[facebooksecrets.blogspot.com]
I've sent you the code via PM.
Greetz!!
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 15, 2007 09:50AM
Yep thanks, I've got it complete now. Some interesting stuff, it seems they use smarty templating.
Re: Revealing Facebook.com source code.
Posted by: ash (IP Logged)
Date: August 15, 2007 11:34PM
Google removed the site but look whats on it now ;)
[facebooksecrets.blogspot.com]
but... google didn't remove it from there cache
[72.14.253.104]
Edited 1 time(s). Last edit at 08/15/2007 11:46PM by ash.
[facebooksecrets.blogspot.com]
but... google didn't remove it from there cache
[72.14.253.104]
Edited 1 time(s). Last edit at 08/15/2007 11:46PM by ash.
Re: Revealing Facebook.com source code.
Posted by: tx (IP Logged)
Date: August 16, 2007 01:17AM
@ash: lol, might as well make a buck.
-tx @ lowtech-labs.org
-tx @ lowtech-labs.org
Re: Revealing Facebook.com source code.
Posted by: hackathology (IP Logged)
Date: August 17, 2007 04:17AM
Re: Revealing Facebook.com source code.
Posted by: kuza55 (IP Logged)
Date: August 17, 2007 04:37AM
Pastebin to the rescue: [pastebin.ca] (that's the search code)
Re: Revealing Facebook.com source code.
Posted by: ash (IP Logged)
Date: August 17, 2007 08:29AM
Well to be honest this is the last I think we'll see of the facebook errors.
Thumbs Up to Facebook for getting there code removed from every where, even though it wasn't a huge risk I surely wouldn't want my code online.
Thumbs Up to Facebook for getting there code removed from every where, even though it wasn't a huge risk I surely wouldn't want my code online.
Re: Revealing Facebook.com source code.
Posted by: Anonymous User (IP Logged)
Date: August 17, 2007 10:01AM
@ash just wait for Google index ^^
Re: Revealing Facebook.com source code.
Posted by: kuza55 (IP Logged)
Date: August 17, 2007 09:58PM
ash Wrote:
-------------------------------------------------------
> Well to be honest this is the last I think we'll
> see of the facebook errors.
>
> Thumbs Up to Facebook for getting there code
> removed from every where, even though it wasn't a
> huge risk I surely wouldn't want my code online.
"every where" being everywhere the majority knows to look. There are still people hosting the code themselves, but they're out of the public eye, *shrug*.
-------------------------------------------------------
> Well to be honest this is the last I think we'll
> see of the facebook errors.
>
> Thumbs Up to Facebook for getting there code
> removed from every where, even though it wasn't a
> huge risk I surely wouldn't want my code online.
"every where" being everywhere the majority knows to look. There are still people hosting the code themselves, but they're out of the public eye, *shrug*.
Re: Revealing Facebook.com source code.
Posted by: hackathology (IP Logged)
Date: August 18, 2007 09:52AM
Sorry, only registered users may post in this forum.
sla.ckers.org RSS feed
Board haX0r3d together by ha.ckers.org, forshizzle.
SecTheory Security Consulting *