[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAD6s_XuhN7dVxq=Wvo9KgUJzUmzAudYBtZtbJTP2wwdX2DUezw@mail.gmail.com>
Date: Wed, 6 Mar 2013 13:57:56 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Ulisses Montenegro <ulisses.montenegro@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SANS PHP Port Scanner Remote Code Execution
Ulisses,
No, I'm blaming developers that are not in the field of security for this
mess.
Chris.
On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro <
ulisses.montenegro@...il.com> wrote:
> Christian
>
> If you're reading my email as "it's the developers' fault", then you got
> it wrong -- I've been a developer for most of my life. And while things
> have gotten better in the last years, there are still tons of "build your
> blog 15 minutes" or "develop a twiiter clone in 2h"
> tutorials/advertisements for various platforms and languages out there
> which either assume security is a non-issue, or assume the
> platform/language will take care of it for you.
>
> Heck, the manpages for some libc functions on non-GNU platforms still show
> vulnerable code in examples. perldoc is riddled with code that is just
> enough to show how a given function should be used, but with no validation
> whatsoever. I remember reading the training material for an Oracle product
> (sorry, I really can't recall the name) which touted being able to have the
> application security handled by infrastructure/middleware componentes as a
> desirable feature.
>
> So while I'd agree that we are getting better at this, we're still far
> from ideal. The canonical "hello world" for most languages/platforms out
> there, in most cases, still does not make explicit references to security
> issues.
>
>
> On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> The article actually recommends looking for information from
>> www.w3schools.com <http://www.w3fools.com>?!
>>
>> Here's a few other obviously missing things:
>> - script requires input but does not check for it (very bad PHP practice)
>> - what the hell is with that code? Ever heard about indentation?
>> - there should be some very basic sanitization; ints be ints and strings
>> be strings
>> - hiding all errors, that was a very smart thing to do....
>> - early 20's html and css coding style to boot
>>
>> Regarding the tool itself, obviously it's not meant to be used publicly,
>> hence why I could close my eye in this respect.
>>
>> UIlisses, developers already do this. Actually, they've been doing it for
>> quite some time.
>> Perhaps the "security experts" writing tutorials as in that article
>> should follow?
>>
>>
>> On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:
>>
>>> +1
>>> On 6 Mar 2013 10:41, "Ulisses Montenegro" <ulisses.montenegro@...il.com>
>>> wrote:
>>>
>>>> Not including proper input validation and error handling in code
>>>> samples is one of the most common and harmful practices in the software
>>>> development industry -- doing it is not "optional" or "advanced", it is
>>>> mandatory unless you want to be pwned.
>>>>
>>>> Developers need to start doing things properly from the very beginning,
>>>> as habits become harder and harder to change with experience.
>>>>
>>>>
>>>> On Wed, Mar 6, 2013 at 7:33 AM, Benji <me@...ji.com> wrote:
>>>>
>>>>> Actually, adding input sanitisation really wouldnt increase the code
>>>>> size that much. Are you just incompetent?
>>>>>
>>>>>
>>>>> On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <gauri@....by>wrote:
>>>>>
>>>>>> Dear list,
>>>>>>
>>>>>> Well, I suppose this had to be a proof-of-concept piece of code to
>>>>>> demonstrate how port scanning can be done in PHP, not a production-grade
>>>>>> software. Adding input sanitization would increase the code size by a lot
>>>>>> and obscure the concept somewhat (not that there is much to be said anout
>>>>>> the concept though). Think we can give the dude some discount for that.
>>>>>>
>>>>>> Nevertheless, seeing something like this coming from "Certified
>>>>>> Ethical Hacker and Security + certified" makes me doubt the worthness of
>>>>>> those certificates. Could be nice to know the exact naming of those
>>>>>> certificates to properly disregard them in the future.
>>>>>>
>>>>>> With best regards,
>>>>>> Z.
>>>>>>
>>>>>> 2013/3/6 laurent gaffie <laurent.gaffie@...il.com>
>>>>>>
>>>>>>>
>>>>>>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/
>>>>>>>
>>>>>>> Finding the vulnerability in this code is left as an exercise to the
>>>>>>> reader.
>>>>>>>
>>>>>>> PS: "*Your comment will be awaiting moderation forever."*
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> “If debugging is the process of removing software bugs, then
>>>> programming must be the process of putting them in.” - *Edsger Dijkstra
>>>> *
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
>
> --
> “If debugging is the process of removing software bugs, then programming
> must be the process of putting them in.” - *Edsger Dijkstra*
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists