Re: store passwords securely in the internet

["Jan G.B." <ro0ot.w00t () googlemail com>]

Hi Andre,

2010/4/6 Andre Pawlowski <sqall () h4des org>:
> Hi guys,
>
> I've written a program to store your passwords secure in a container on a
> server.

> The whole project is written in php. A weak point of the program is the http
> protocol. When the user doesn't use https to transfer the data the passwords
> will send decrypted over the net.
>
> I hope there is any use for this program and I'm glad if anyone of you send
> me any critics or suggestions.


Your script does not properly check the input parameters, except that
strpos('./') check.
There are XSS Bugs which can lead to several vulns.
I didn't check it intensely, but I believe your failing strpos()-test
can lead to a directory traversal attack, which may lead to files
being overwritten without permission (for example destroying someone
else's password-safe or crushing systems config files).

Check out this link
 http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html

Regards

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------