lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43FA6DCD.5060802@novell.com>
Date: Mon, 20 Feb 2006 17:33:01 -0800
From: Crispin Cowan <crispin@...ell.com>
To: Cristian Stoica <security@...cms.biz>
Cc: unsecure@...teme.com, bugtraq@...urityfocus.com,
	pen-test@...urityfocus.com,
	"Angelos D. Keromytis" <angelos@...columbia.edu>
Subject: Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit


Cristian Stoica wrote:
>    I have a question:
>    If you use an ecryption algorithm to store/get data into/from the
> database you will not be able to do SQL injections ?
>    With a simple encryption algorithm, I do with php explode,
> transform the string into an array and run the algorithm on each
> member of the array.
There are actually several papers on this idea by Angelos Keromytis and
his students & colleagues:

@inproceedings
  (
    kc03,
    author = "Gaurav S. Kc and Angelos D. Keromytis and Vassilis
Prevelakis",
    title = "{Countering Code Injection Attacks With Instruction Set
            Randomization}",
    booktitle = "Proceedings of the 10th ACM Conference on Computer and
    Communications Security (CCS 2003)",
    address = "Washington, DC",
    month = "October",
    year = 2003,
  )

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
	Olympic Games: The Bi-Annual Festival of Corruption

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ