Security Basics mailing list archives
Re: store passwords securely in the internet
From: Andre Pawlowski <sqall () h4des org>
Date: Sun, 11 Apr 2010 14:09:30 +0200
I just checked the code if the XSS bug need to be fixed fast (because I have litte time at the moment). Even I only check strpos('./') there is no security hole at all. If the attacker can change the directory and want to write in a system file, the program decrypts the system file first and check the header of the decrypted part for an entry of the program itself (with this entry the program can check the success of the decryption). First of all the decryption will fail and second the header of the program is not inside the system file. So the program will abort everything and writes an error message. Of course I will add more checks to the program, but I did not see any vulnerability. Andre Pawlowski ------------------------------------------------------------------- Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos. -Albert Einstein On 04/09/2010 05:55 PM, Jan G.B. wrote:
Hi Andre, 2010/4/6 Andre Pawlowski <sqall () h4des org>:Hi guys, I've written a program to store your passwords secure in a container on a server.The whole project is written in php. A weak point of the program is the http protocol. When the user doesn't use https to transfer the data the passwords will send decrypted over the net. I hope there is any use for this program and I'm glad if anyone of you send me any critics or suggestions.Your script does not properly check the input parameters, except that strpos('./') check. There are XSS Bugs which can lead to several vulns. I didn't check it intensely, but I believe your failing strpos()-test can lead to a directory traversal attack, which may lead to files being overwritten without permission (for example destroying someone else's password-safe or crushing systems config files). Check out this link http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html Regards
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: store passwords securely in the internet, (continued)
- Re: store passwords securely in the internet Adam Mooz (Apr 07)
- Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
- Message not available
- Re: store passwords securely in the internet Adam Mooz (Apr 12)
- Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
- Re: store passwords securely in the internet Adam Mooz (Apr 07)
- Re: store passwords securely in the internet Patrick Cornelissen (Apr 12)
- Re: store passwords securely in the internet Adam Mooz (Apr 13)
- Re: store passwords securely in the internet Patrick Cornelissen (Apr 12)
- Re: store passwords securely in the internet Eric Furman (Apr 13)
- Re: store passwords securely in the internet Adam Mooz (Apr 13)
- RE: store passwords securely in the internet Lauren Twele (Apr 13)
- Re: store passwords securely in the internet Adam Mooz (Apr 13)
- Re: store passwords securely in the internet Andre Pawlowski (Apr 12)
- Re: store passwords securely in the internet Andre Pawlowski (Apr 12)
- Re: store passwords securely in the internet Tristan Mott (Apr 14)