On Sun, Jan 16, 2005 at 08:26:37PM +0100, Ulf H?rnhammar wrote:
> When talking about obscure and unlikely vulns, here is a Debian advisory from
> elder days with the same type of GECOS bug that I just found in xshisen:
>
> http://www.debian.org/security/1997/19970220.en.html
Interesting, seems like screen's had a few problems over the years.
Still something I use everyday and trust though!
> I used to audit lots of web applications a few years ago, and I remember that
> Albrecht from PHProjekt got really angry when I posted this:
>
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-04/0362.html
>
> He had tried to cover up some of the issues by patching them but not including
> them in the ChangeLog!
hehe.
> Sometimes when you audit web applications, the developers have never
> heard terms like Cross-site Scripting and SQL Injection before, so you
> might have to explain stuff to them.
I tried to come up with an online demonstration of XSS attacks
but I kinda lost interest before making it pretty:
http://www.steve.org.uk/Hacks/XSS/
I'm sure it'd be a nice thing to point people at if it was more
pretty and interactive. *shrugs*
A similar idea could be used for SQL injection, but I never
got round to working out how to do it in a good way - without
actually exposing a database.
> All C programmers have at least heard of buffer overflows.
Not all of them, sadly. I remember reporting a problem in a
package which wasn't relevent to Debian - it was in a Win32 specific
piece of code added by a porter.
I reported it upstream and it was never fixed.. Apparently they
dont exist under Windows because of Microsofts security protection
in their compilers .. *sigh*
Steve
--Received on Sun Jan 16 2005 - 19:37:38 GMT