So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.

Just for fun, here's what I found:

- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName: --- using buttonText: -- media plugin uses vulnerable moxieplayer.swf: - Their site was copied from Webspawner.
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin

Don't trust a company this amateur.

EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done