Security of the forum

[Dukerio]

...

...

 

[OneLastTheorem]

2 questions:

1) How does having a "?" in the URL make a website more susceptable to hacking?

2) Why would anyone want to hack into the discussion forums of the Actuarial Education Company?

 

[thomasb]

2 questions:

1) How does having a "?" in the URL make a website more susceptable to hacking?

2) Why would anyone want to hack into the discussion forums of the Actuarial Education Company?

Finally, a question here which actually comes within my area of expertise.

The forum is essentially a collection of scripts which generate a web page each and every time you browse/download a page (this is distinct from a static file or page - like say an image - which is stored once and then served out multiple times). The information contained after the ? is input to the script - if it is not properly protected or filtered, a cracker could use that information to access vital system files or parts of the database to gain access to the parts of system you don't want him on.

On point 2 - there are any number of reasons why someone might target the acted forums - there is also the possibility that the forum software could be used as a back door into the main ActEd webserver - and it is also possible that the cracker is not interested in targetting ActEd per se but merely using the server as a gateway to cracking something else. Clifford Stoll wrote a book some years back in which he discussed how he'd investigated a cracking incident where hackers from the KGB had used several intermediate servers in an attempt to hack into US military computers over the internet.