Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Security Mistakes That We And Others Have Made

From: Aux Browser Team <team () auxbrowser com>
Date: Fri, 12 Jul 2013 10:32:13 +0000
When we developed our open source project(http://code.google.com/p/auxbrowser/), we found several common security mistakes. 

Security Issue #1 - FEATURE_LOCALMACHINE_LOCKDOWN
If an application uses Microsoft web browser object to access internet, it's extremely important to have this enabled. 

We made this mistake. Others also made the same mistake.
For example, EditPlus uses web browser object, and it does not have this enabled - it's vulnerable. 

Security Issue #2 - SizeOf Used For Buffer Size in Characters

SizeOf is "in bytes", when buffer size is "in characters".
In the Unicode world, it's wrong to use SizeOf for buffer size in characters. 

We made this mistake. Others also made the same mistake.

For example:
http://delphi.about.com/cs/adptips2001/a/bltip0401_3.htm
...
Buffer: array[0..2047] of Char
...
GetPrivateProfileString('InternetShortcut',
            PChar('URL'), NIL, Buffer, SizeOf(Buffer),
            PChar(dir+searchrec.Name))
...
In the end, if you find bugs in our open source project, please contact us. We will put your name in the "Thanks" part here: 
http://code.google.com/p/auxbrowser/wiki/TechnicalDetails

Best Wishes,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: