Common folks - What this guy did took little knowledge and little time. The code on the page (and we are talking clear text here) referenced a page. He went to that page. He got booted to an admin page. (Admin pages that come with web tools are normally not secured.) He looked at the URL and saw what was getting passed. He wrote a script to increment the values. done. He got 1000 results. done. all in all, I would be surprised if he spent more than 20 minutes on it. This guy is a Good Samaritan that's getting jacked because he was concerned about public safety. He's a whistle-blower. He should be protected from those that would rather us keep our heads in the sand. Please note that he didn't advertise his name and he informed a legit security group of this hole... ie no fame, no celebrity.. just one guy who knows, trying to protect those who don't. If we made it a habit of putting those people in jail, we would still have child labor and no environmental protection.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7067/22710#22710