lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060517221919.GM29682@obiit.org>
Date: Thu, 18 May 2006 00:19:19 +0200
From: frantisek holop <minusf@...it.org>
To: bugtraq@...urityfocus.com
Subject: Re: Maksymilian Arciemowicz


hmm, on Tue, May 16, 2006 at 08:37:11PM -0000, cxib@...urityreason.com said that

[snip]

> The solution is to analyze all input variables and all checkings (for
> example: is_string). Error displaying could be disabled, but I would
> rather suggest correcting the code.

you present the solution yourself: display_errors

from php.ini:
; - display_errors = Off           [Security]
;     With this directive set to off, errors that occur during the execution of
;     scripts will no longer be displayed as a part of the script output, and thus,
;     will no longer be exposed to remote users.  With some errors, the error message
;     content may expose information about your script, web server, or database
;     server that may be exploitable for hacking.  Production sites should have this
;     directive set to off.


admins don't have the time (and/or the expertise) to go and hunt for
things like this.  auditing code like this for admins is a waste of
time.  not for the authors of course.  on production machines
display_errors should be simply turned off.  if i were the php people
i would make it even the default (if it is not already).

there must be like thousands of cases like this out there, not enforcing
the types to 100%.  and i don't even think it's practical in every case.
if the variable type misuse does not produce any usable error message or
info, the attacker will simply get bored and go away.  or perhaps tries
a filling-the-log-partition DoS in frustration :)

-f
-- 
the smallest handcuff in the world is a wedding ring.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ