http://www.agavegroup.com

I'm interesting in getting a bit of feedback on a recent redesign of my personal site:

agavegroup.com.

I use the site as a my portfolio (this is the place of future development) as well as to write a handful of articles on ideas/projects (in blog format), and as a home to an informal forum.

I recently redesigned the site removing a lot of the blogged articles, and am have begun fresh new content.

The redesign involved using Wordpress as a CMS, and I am interested in any feedback about the design, navigation etc.

Thanks!

I love the rollover effect, it's really cool in the nav bar! And the onclick event aswell in the nav bar. Nice job, keep up the good work

Nice layout, yet you spelled development worng in About. : devlopment

Thank you! Somehow I missed that misspelling (and on the front page!). I've made the fix (having a CMS suddenly seems like it was a good idea...)

Your site isn't secure. I hacked it and already found the names of fields and tables in your database.


Need proof?

Table Name: wp_posts
Field Name: post_parent, post_status

How is that proof? All you need to do is look at the Wordpress source thats free for anyone to download.

You right...I didn't know what I was doing.

Why are you using Yahoo sites to process your forms? Your "contact" form is insecure, to. You're not filtering the subject for newlines and that allows anyone to add headers and content to the messages your server sends out. I can use it to spam people, all from your site.

$subject = str_replace(array("\n","\r"),'', $subject);

Well, at least you admit it. Honestly, what good is your "proof". If you found a vulnerability, report it with, hopefully, a fix. You don't have to post it here, but at least mention you emailed someone or something. Posting "I hacked you" is worthless.

---John Holmes...

I point out vulnerabilities to people. If they want to contact me about how I did it, they can PM me. I'm not going to publicly post how I bypassed someones security, so some idiot can go do exactly what I did and steal or delete that person's information.

If people spent 1/2 as much time implementing security into their application, as they do pondering the look and feel of their site, then SQL Injection, XSS, Parmeter manipulation, etc... wouldn't continue to be a major problem.

You seem to be a major member of this board, so I would expect you to understand why a) I didn't explain how I attacked the site and b)why security is such an important issue that needs to be addressed.

I never said you didn't do it, I said your proof wasn't proof. Hypothetically if I wanted to scare someone into giving me root access to their server I would use your tactic. I know they are using wordpress, so all I have to do is look through wordpress's database creation code to see what tables it creates and then tell the user I got it by hacking their site with no evidence to the sort. Then tell them I can fix it, just give me access. I may fix their problem but leave a backdoor for myself.

What sepodati does is show's them exactly how their site is insecure and how it can be exploited,that's proof.

I'll say it again...

Then say that in your posts...

---John Holmes...

Thanks for this. I'll update soon. I greatly appreciate the detailed solution!



Unfortunately I don't seem to be able to send PMs on this discussion board... Though I seem to be able to recieve them... I'd be iterested to hear what you did, would you mind sending me a PM with an email?

I'm a front-end guy (which isn't an excuse..) so I'm lacking expertise in security etc (in my contract work I operate with a "back-end" guy when necessary, but I didn't go down this path on my personal site). So all security discussions are very welcome.

PR
agavegroup