Recently,I found a website existing some secret question.I think,there are something are the commom questions.
This website is large and I am very like him.I found his IP address and port was exposed.This is a tomcat port.When I entered the directory address,I found he didn't forbid the directories viewing!So,I could view all the contents under the directory.There were some secret information in the subdirectories.I can enter some place of website with administrator authority.
I sent three emails to the administrator of website,but,almost 10 days past,they didn't receive these three emails.(Later,I knew this because this email address had fulled of thousands of letters,of course,I think the most of them are garbage letters.So they didn't receive that email box at all.)
At last,I sent an email to a system user attached a picture which showing I have enter the management function of website.Then,they knew.
From above,I think:
1.the communication between website and users must be non-blocked;
2.Can't expose the IP:PORT to the users;
3.Can't expose the location of a database file(*.mdb);
4.The user password must be MD5ed;
5.A non-hacker should not enter other's website with illegal athourity,even if you are good heart,remember,even a bird fly over the sky will leave a little.