[Original] "imperfect development software package" for chinabank security vulnerabilities in Online Banking"

Source: Internet
Author: User
[Original] "imperfect development software package" for chinabank security vulnerabilities in Online Banking"
Http://www.chinabank.com.cn/index/index.shtml

Digress: The latest job in the new company plans the entire test team and process construction. Because the company uses outlook2003 for internal communication, it is very annoying to use the outlook spam filter function, more than 1000 of spam mails are sent every day, and the problem is solved only after the Shangguan patches it. In this case, the website security test may also have similar problems, so this article is available:

Website Security Testing is particularly important. The author of this article introduces "Cross-Site Scripting injection for yeepay Website Security Testing vulnerabilities" in an example. The specific address is as follows:
Addresses: http://bbs.51testing.com/thread-113784-1-1.html
Or: The test blog of the fish selling barbecue: Success!

Today, I want to talk about another security test, "imperfect development software package". In other words, the software version is too low and has its own security vulnerabilities, however, this type of software is used in the project"
Http://www.chinabank.com.cn/index/index.shtml to illustrate this problem:
The author of this article has verified that the online software development kit has the following problems:
PHP/4.4.2 this version has possible code execution, SQL injection ,...
Apache/2.0.58 the official website provides an attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may also be possible.
According to the author of this article, some other vulnerabilities in online banking are as follows:
Invalid link: •/gateway/about_us/2006/20060225 .shtml
•/Gateway/about_us/Company/news/2006/2006/20061116.shtml
•/Gateway/about_us/Company/news/2007/jinbihe/scripts/ac_runactivecontent.js
•/Gateway/CSS/index.css
•/Gateway/link.shtml
•/Gateway/gtime/200803 month/2008-3-19.html
•/Gateway/International/demo.shtml
•/Gateway/International/demo_1.shtml
•/Gateway/register/index.shtml
•/Gateway/RMB _card/cardtype.shtml
•/Gateway/security.shtml
•/Mall/Lipin. asp (get proid = LP01)
•/Mall/Lipin. asp (get proid = LP02)
•/Mall/Lipin. asp (get proid = lp03)
•/Wuyouxing. jsp (get v_mid = 1509) // you may not be clear about what we used to do before. If it is convenient for online operation testing, delete it.
It is hoped that the website will find that the electronic payment security is very important and do not leave the vulnerability ^_^

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.