lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CACDSwDki0JX1+pYQB0tNrSemyL3UR0LVYgmks60Y0gkW+JGZuw@mail.gmail.com>
Date: Fri, 26 Aug 2011 11:18:02 -0700
From: Michael Brooks <firealwaysworks@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Bypassing PHPIDS 0.6.5

Full Paper:
https://sitewat.ch/en/Blog/10

Using these attacks it is possible to bypass all of PHPIDS's rule sets,
which defeats all protection PHPIDS can provide.  Further more on a default
install of PHPIDS the log file can be used to drop a PHP backdoor.  There by
using PHPIDS as a vital steping stone in turning an LFI vulnerability into
remote code execution.  Thus PHPIDS 0.6.5 made you less secure.  Of course
all of these issues have been fixed in PHPIDS 0.7,  and by using the latest
version of PHPIDS I have no doubt that you're php application will be more
secure. If someone tells you that you are absolutely secure,  then they are
trying to sell you something.  However PHPIDS 0.7 provides a strong barrier
between your application and an attacker.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ