Full Disclosure mailing list archives
Security Mistakes That We And Others Have Made
From: Aux Browser Team <team () auxbrowser com>
Date: Fri, 12 Jul 2013 10:32:13 +0000
When we developed our open source project(http://code.google.com/p/auxbrowser/), we found several common security mistakes.
Security Issue #1 - FEATURE_LOCALMACHINE_LOCKDOWNIf an application uses Microsoft web browser object to access internet, it's extremely important to have this enabled.
We made this mistake. Others also made the same mistake.For example, EditPlus uses web browser object, and it does not have this enabled - it's vulnerable.
Security Issue #2 - SizeOf Used For Buffer Size in Characters SizeOf is "in bytes", when buffer size is "in characters".In the Unicode world, it's wrong to use SizeOf for buffer size in characters.
We made this mistake. Others also made the same mistake. For example: http://delphi.about.com/cs/adptips2001/a/bltip0401_3.htm ... Buffer: array[0..2047] of Char ... GetPrivateProfileString('InternetShortcut', PChar('URL'), NIL, Buffer, SizeOf(Buffer), PChar(dir+searchrec.Name)) ...In the end, if you find bugs in our open source project, please contact us. We will put your name in the "Thanks" part here:
http://code.google.com/p/auxbrowser/wiki/TechnicalDetails Best Wishes, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Mistakes That We And Others Have Made Aux Browser Team (Jul 13)