[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAD6s_Xute3T6OVkXVNhX7JXPPDENmX4f0KBWW4jgMrdTH+v6DQ@mail.gmail.com>
Date: Fri, 8 Mar 2013 02:50:03 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Andrew King <aking1012.com@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SANS PHP Port Scanner Remote Code Execution
Andrew,
You realize this guy is trying to advise people through a tutorial?
It's not like we're talking about average Joe shipping buggy software...
people *teaching bad practices,* especially in this field should be shot
dead
before they do any more damage.
You just can't learn how to code by teaching others to do it wrongly.
Pointing back to my comprehensive list, the author missed some of
the very basics of programming in general (undefined variables, no
indentation..).
Chris.
On Fri, Mar 8, 2013 at 2:14 AM, Andrew King <aking1012.com@...il.com> wrote:
> Has anyone considered that loads of stuff is shipped bugged?
>
> I mean it's not like they hosted it on their site executable. It's also
> not like we're talking about vsftpd where it's installed for a legitimate
> purpose on millions if not billions of PCs.
>
> The million eyeball test and trolling a company where one person might
> have to read 15 articles a day in addition to actual job duties are not
> even in the same realm. Add to that maybe backdoor software like sub7 had
> administrative access backdoors. The list goes on. All I'm saying is
> don't be dense.
>
>
> On Wed, Mar 6, 2013 at 2:57 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> Ulisses,
>>
>> No, I'm blaming developers that are not in the field of security for this
>> mess.
>>
>> Chris.
>>
>>
>> On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro <
>> ulisses.montenegro@...il.com> wrote:
>>
>>> Christian
>>>
>>> If you're reading my email as "it's the developers' fault", then you got
>>> it wrong -- I've been a developer for most of my life. And while things
>>> have gotten better in the last years, there are still tons of "build your
>>> blog 15 minutes" or "develop a twiiter clone in 2h"
>>> tutorials/advertisements for various platforms and languages out there
>>> which either assume security is a non-issue, or assume the
>>> platform/language will take care of it for you.
>>>
>>> Heck, the manpages for some libc functions on non-GNU platforms still
>>> show vulnerable code in examples. perldoc is riddled with code that is just
>>> enough to show how a given function should be used, but with no validation
>>> whatsoever. I remember reading the training material for an Oracle product
>>> (sorry, I really can't recall the name) which touted being able to have the
>>> application security handled by infrastructure/middleware componentes as a
>>> desirable feature.
>>>
>>> So while I'd agree that we are getting better at this, we're still far
>>> from ideal. The canonical "hello world" for most languages/platforms out
>>> there, in most cases, still does not make explicit references to security
>>> issues.
>>>
>>>
>>> On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <uuf6429@...il.com>wrote:
>>>
>>>> The article actually recommends looking for information from
>>>> www.w3schools.com <http://www.w3fools.com>?!
>>>>
>>>> Here's a few other obviously missing things:
>>>> - script requires input but does not check for it (very bad PHP
>>>> practice)
>>>> - what the hell is with that code? Ever heard about indentation?
>>>> - there should be some very basic sanitization; ints be ints and
>>>> strings be strings
>>>> - hiding all errors, that was a very smart thing to do....
>>>> - early 20's html and css coding style to boot
>>>>
>>>> Regarding the tool itself, obviously it's not meant to be used
>>>> publicly, hence why I could close my eye in this respect.
>>>>
>>>> UIlisses, developers already do this. Actually, they've been doing it
>>>> for quite some time.
>>>> Perhaps the "security experts" writing tutorials as in that article
>>>> should follow?
>>>>
>>>>
>>>> On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <tzewang.dorje@...il.com>wrote:
>>>>
>>>>> +1
>>>>> On 6 Mar 2013 10:41, "Ulisses Montenegro" <
>>>>> ulisses.montenegro@...il.com> wrote:
>>>>>
>>>>>> Not including proper input validation and error handling in code
>>>>>> samples is one of the most common and harmful practices in the software
>>>>>> development industry -- doing it is not "optional" or "advanced", it is
>>>>>> mandatory unless you want to be pwned.
>>>>>>
>>>>>> Developers need to start doing things properly from the very
>>>>>> beginning, as habits become harder and harder to change with experience.
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 6, 2013 at 7:33 AM, Benji <me@...ji.com> wrote:
>>>>>>
>>>>>>> Actually, adding input sanitisation really wouldnt increase the code
>>>>>>> size that much. Are you just incompetent?
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <gauri@....by>wrote:
>>>>>>>
>>>>>>>> Dear list,
>>>>>>>>
>>>>>>>> Well, I suppose this had to be a proof-of-concept piece of code to
>>>>>>>> demonstrate how port scanning can be done in PHP, not a production-grade
>>>>>>>> software. Adding input sanitization would increase the code size by a lot
>>>>>>>> and obscure the concept somewhat (not that there is much to be said anout
>>>>>>>> the concept though). Think we can give the dude some discount for that.
>>>>>>>>
>>>>>>>> Nevertheless, seeing something like this coming from "Certified
>>>>>>>> Ethical Hacker and Security + certified" makes me doubt the worthness of
>>>>>>>> those certificates. Could be nice to know the exact naming of those
>>>>>>>> certificates to properly disregard them in the future.
>>>>>>>>
>>>>>>>> With best regards,
>>>>>>>> Z.
>>>>>>>>
>>>>>>>> 2013/3/6 laurent gaffie <laurent.gaffie@...il.com>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/
>>>>>>>>>
>>>>>>>>> Finding the vulnerability in this code is left as an exercise to
>>>>>>>>> the reader.
>>>>>>>>>
>>>>>>>>> PS: "*Your comment will be awaiting moderation forever."*
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> “If debugging is the process of removing software bugs, then
>>>>>> programming must be the process of putting them in.” - *Edsger
>>>>>> Dijkstra*
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> “If debugging is the process of removing software bugs, then programming
>>> must be the process of putting them in.” - *Edsger Dijkstra*
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists