You can list what problems you've solved by showing an image generated for you.<p>Ex) <a href="https://projecteuler.net/profile/daguava.png" rel="nofollow">https://projecteuler.net/profile/daguava.png</a><p>But you can also use this to quickly test the status of accounts.<p>For example, I was able to find Euler is an admin account by trying<p><a href="https://projecteuler.net/profile/euler.png" rel="nofollow">https://projecteuler.net/profile/euler.png</a><p>It tells you it's admin in the image, why?<p>Edit: Wonder if they're exposing some vulnerability with the HTTP 300 Multiple Files they're returning.<p>If you try something like this:
<a href="https://projecteuler.net/profile/.wat" rel="nofollow">https://projecteuler.net/profile/.wat</a><p>the page confirms a .htaccess file exists at
<a href="https://projecteuler.net/profile/.htaccess" rel="nofollow">https://projecteuler.net/profile/.htaccess</a>
we also find one at
<a href="https://projecteuler.net/.htaccess" rel="nofollow">https://projecteuler.net/.htaccess</a><p>While currently inaccessible, this is significant information leak<p>All directories allow this, so you can do some digging to find what files exist.<p>Edit 2:while logged in, you can enumerate all usernames with a skill level attached by using URLs like<p><a href="https://projecteuler.net/level=1" rel="nofollow">https://projecteuler.net/level=1</a><p>If you try changing the level to a period, the page conveniently tells you there are over 118k users in total (listing the first 10k), and MAY even show accounts without levels, but I'm not sure.<p>Combine this with the profile image URLs above and you may be able to find more admin account usernames if they have levels associated with them.
Open source that site. Vet a few devs to have access to the source to begin with then opensource it. Or even better, let the community rewrite the source from scratch. How hard can it be? and there are often a lot of people willing to contribute to open-source projects.
OK, well, here's an initial observation:<p>1. Your login page leaks information, as it returns "username not found" if you enter an invalid username. This is a bad idea. Better to simply say "login failed" in any case. Now, thanks to a few minutes of playing around, I have a fairly good idea that "admin" is a valid username on projecteuler.net. For the sake of argument, let's assume that's a real account, and actually has some administrative access... that's a bad idea. "Security through obscurity" is oft derided, but no sense making it easy for the bad guys. Make your admin username "flummoxedrabbit" or something that nobody bothers trying. As it is, I'm hoping this "admin" account is a dummy or a honeypot or something, but if it isn't, I definitely encourage you to change that and quit leaking username validity information.<p>2. From the limited testing I did, it doesn't appear that you limit the number of failed login attempts. Or if you do, the login limit is awfully high. I tried logging in 10 times and as far as I can tell, I could have kept going. If there really is no limit, it's probably not that hard to brute force your password. There are plenty of scripts and browser plugins to sit there and try to login repeatedly, trying to brute force forms like that.<p>3. In addition to limiting the number of login attempts, it's possibly a good idea to add a steadily increasing delay before accepting another login try from the same IP address, after each failed login. This will slow down at least some attempts to brute force your password.<p>4. You could consider some sort of Multi-Factor Authentication setup.<p>5. You could also consider adding code to do something similar to what fail2ban does, and automatically block connections from an IP where more than <i>X</i> failed logins originate in some period of time.
It would be nice if source were provided, so that we can do a whitebox analysis. I don't have confidence that there is one single point of failure here, given that the site has already been compromised multiple times.
Part of me learning to code was by going through the challenges on Project Euler and I always get a sense of nostalgia when reading about it.<p>It is a pity it keeps getting hacked. I think that the site owners are more interested in algorithms and mathematics than mundane engineering. It would probably be a good idea to open source the site.
I am unable to login to my account, so I'm not able to test this. But if I remember correctly this site used a poor captcha. There has been a lot of advancement at captcha breaking software in recent years. If they used some kind of custom captcha to prevent password guessing, then it's not extremely secure.
Haven't they been wrecked once before this most recent incident?<p>I find it concerning that folks are so eager to rush back into a warzone when they know it's not safe. Piling onto a recovering website after a cyberattack is akin to running back into a field where landmines were found. Maybe somebody was able to remove a landmine or two, but wouldn't it be wiser to just walk around it?
I checked the license. It appears that the content is licensed under creative common attribution non-commercial.<p>I haven't found any indication that the website behind Project Euler is open source or follow open source development processes.
It's a shame the maintainer of the site is going to let it fall into obscurity instead of just adopting more modern development practices.<p>edit. Such as allowing people to audit the source of the site as opposed to requesting pentesting.