lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Jul 2013 10:32:13 +0000 From: Aux Browser Team <team@...browser.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Security Mistakes That We And Others Have Made When we developed our open source project(http://code.google.com/p/auxbrowser/), we found several common security mistakes. Security Issue #1 - FEATURE_LOCALMACHINE_LOCKDOWN If an application uses Microsoft web browser object to access internet, it's extremely important to have this enabled. We made this mistake. Others also made the same mistake. For example, EditPlus uses web browser object, and it does not have this enabled - it's vulnerable. Security Issue #2 - SizeOf Used For Buffer Size in Characters SizeOf is "in bytes", when buffer size is "in characters". In the Unicode world, it's wrong to use SizeOf for buffer size in characters. We made this mistake. Others also made the same mistake. For example: http://delphi.about.com/cs/adptips2001/a/bltip0401_3.htm ... Buffer: array[0..2047] of Char ... GetPrivateProfileString('InternetShortcut', PChar('URL'), NIL, Buffer, SizeOf(Buffer), PChar(dir+searchrec.Name)) ... In the end, if you find bugs in our open source project, please contact us. We will put your name in the "Thanks" part here: http://code.google.com/p/auxbrowser/wiki/TechnicalDetails Best Wishes, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists