The Security Reporting Conundrum
@ 2008-10-22 23:03:43
Filed under: Frustration Security Tech
I'm sitting here browsing the web and I come across an XSS in a popular hosted website/application. My immediate reaction is to alert the company ... but then I think about it .... some companies get offended when you report security issues or, worse yet, freak out and think your some kind of evil guy when all your trying to do is be helpful.
No one should have to think about it this way. If you see someone leave their keys in their door they won't freak out if you knock on their door and tell them ... they are happy! If someone leaves their front door open and you point it out they are thankful you caught it before someone walked in. Reporting a security vuln should work like that ... companies should be happy they get the report!
In the end I think I'll go ahead and report it to them. If they freak out then, well, they freak out ... I should do the right thing.
digg it
seed it
del.icio.us
ma.gnolia
php-suhosin.spec @ 2008-04-20 12:49:29
Filed under: Code Fedora Linux Security Tech
My previous PHP post made me want to package up suhosin. If you use PHP and use an RPM based distro I encourage you to take the spec, test it out and then maintain it. I might maintain it if I have to do anything PHP-wise again but at the moment there isn't anything. You can snag the spec here.
digg it
seed it
del.icio.us
ma.gnolia
Stop the PHP Insanity @ 2008-04-20 12:17:41
Filed under: Code Security Tech
I was browsing a radical leftest website (it was in the news and was curious as to what they were touting) when I came across their phpinfo();. Anyone who has either written anything in PHP or attempted to secure PHP code knows that phpinfo(); prints out a lot of information in the form of html. As I sat there looking at the page 2 things jumped out at me ....
1. They were using an old, unpatched version of FreeBSD
2. Globals were turned on. Really ... they were!
This just continues to show that people are more interested in features than they are in keeping their data/site/content/etc.. safe. True, maybe they have no clue globals and running old versions of OS's unpatched are bad ideas ... but still, simple google searches reveal this stuff!
Now, I 'm not going to sit here and bash PHP as it has come a long way in a short amount of time. But please, practice safe PHP!
digg it
seed it
del.icio.us
ma.gnolia
Thinking With Security In Mind @ 2008-03-21 17:21:24
Filed under: Security Tech
This is right on the spot. For a lot of people thinking with security in mind is very foreign.
digg it
seed it
del.icio.us
ma.gnolia
Yet Another Web App Issue @ 2008-02-10 19:42:25
Filed under: Code Security
Ug ... it's 2008 and these issues still show up! Whenever I happen to see this type of stuff I feel that I must notify the owner .... let's hope that they are thankful and not mad that a friendly person found the issue and not someone who wanted to exploit it.
digg it
seed it
del.icio.us
ma.gnolia
Filed under: Frustration Security Tech
I'm sitting here browsing the web and I come across an XSS in a popular hosted website/application. My immediate reaction is to alert the company ... but then I think about it .... some companies get offended when you report security issues or, worse yet, freak out and think your some kind of evil guy when all your trying to do is be helpful.
No one should have to think about it this way. If you see someone leave their keys in their door they won't freak out if you knock on their door and tell them ... they are happy! If someone leaves their front door open and you point it out they are thankful you caught it before someone walked in. Reporting a security vuln should work like that ... companies should be happy they get the report!
In the end I think I'll go ahead and report it to them. If they freak out then, well, they freak out ... I should do the right thing.
digg it
seed it
del.icio.us
ma.gnolia
php-suhosin.spec @ 2008-04-20 12:49:29
Filed under: Code Fedora Linux Security Tech
My previous PHP post made me want to package up suhosin. If you use PHP and use an RPM based distro I encourage you to take the spec, test it out and then maintain it. I might maintain it if I have to do anything PHP-wise again but at the moment there isn't anything. You can snag the spec here.
digg it
seed it
del.icio.us
ma.gnolia
Stop the PHP Insanity @ 2008-04-20 12:17:41
Filed under: Code Security Tech
I was browsing a radical leftest website (it was in the news and was curious as to what they were touting) when I came across their phpinfo();. Anyone who has either written anything in PHP or attempted to secure PHP code knows that phpinfo(); prints out a lot of information in the form of html. As I sat there looking at the page 2 things jumped out at me ....
1. They were using an old, unpatched version of FreeBSD
2. Globals were turned on. Really ... they were!
This just continues to show that people are more interested in features than they are in keeping their data/site/content/etc.. safe. True, maybe they have no clue globals and running old versions of OS's unpatched are bad ideas ... but still, simple google searches reveal this stuff!
Now, I 'm not going to sit here and bash PHP as it has come a long way in a short amount of time. But please, practice safe PHP!
digg it
seed it
del.icio.us
ma.gnolia
Thinking With Security In Mind @ 2008-03-21 17:21:24
Filed under: Security Tech
This is right on the spot. For a lot of people thinking with security in mind is very foreign.
digg it
seed it
del.icio.us
ma.gnolia
Yet Another Web App Issue @ 2008-02-10 19:42:25
Filed under: Code Security
Just wanted to inform you that it at the very least adding a ' to some urls
on your site expose that you are using a Microsoft Jet Database and might
also allow someone to modify or inject query items.
Example:
URL: http://SCRUBBED.asp?id=17'
Response:
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'ID=17';'.
SCRUBBED.asp, line 14
If possible, it's best practice to sanitize input that comes in via the web as well as hide the
database errors so that only necessary information is shown to the user (for instance a
404 or 'record does not exist' instead of part of the query and information on the database).
--
"An organisation that treats its programmers as morons will soon have
programmers that are willing and able to act like morons only."
-Bjarne Stroustrup
Ug ... it's 2008 and these issues still show up! Whenever I happen to see this type of stuff I feel that I must notify the owner .... let's hope that they are thankful and not mad that a friendly person found the issue and not someone who wanted to exploit it.
digg it
seed it
del.icio.us
ma.gnolia
