by HelloTech
1. The CMS installed on this site is outdated. It has several exploits. Please update this for everyones privacy. Such as exposing your SQL database password. (Login: s**/Password: p**)
2. The CMS application also has several vulnerabilities that would allow forum users to DDOS and/or run unrestricted java scripts.
3. There are multiple ports to the domain that should be secured, I would speak to BWF about closing them.
4. The domain registrar contains your personal e-mail address. This should be removed.
5. Obfuscate your java scripts.
5. Obfuscating javascript is not an issue, as the javascript used is not sensitive and neither is obfuscation of javascript a reliable protection against determined attempts to unobfuscate. It'll be given serious consideration going forward in new works and updates, as opposed to it being a "fix it right this instant" problem.
4. That is not our personal e-mail address, but no e-mail of ours should have been shown in the first place. We're contacting BWF to double check this.
3. Contacted BWF regarded ports. Their initial conclusion is the current open ports are fine and needed given the server and its services. Will followup privately with BWF about each port to ensure their validity and security.
2. Currently investigating the DDOS and/or unrestricted java scripts.
1. The source of the password exposure was quickly fixed after an investigation. The affected password has since been changed. Additional followup testing will be done to ensure it really is fixed. The "CMS" is actually a frameworks, and is currently up to date in every respect possible. That's not to say it can't have vulnerabilities, since security issues are constantly uncovered and fixed even in the most modern of applications. We are grateful for your discovery and reporting of this vulnerability, as opposed to a malicious user being the first to find this issue.
