| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51DFDB2D.8090808@auxbrowser.com>
Date: Fri, 12 Jul 2013 10:32:13 +0000
From: Aux Browser Team <team@...browser.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Security Mistakes That We And Others Have Made
When we developed our open source
project(http://code.google.com/p/auxbrowser/), we found several common
security mistakes.
Security Issue #1 - FEATURE_LOCALMACHINE_LOCKDOWN
If an application uses Microsoft web browser object to access internet,
it's extremely important to have this enabled.
We made this mistake. Others also made the same mistake.
For example, EditPlus uses web browser object, and it does not have this
enabled - it's vulnerable.
Security Issue #2 - SizeOf Used For Buffer Size in Characters
SizeOf is "in bytes", when buffer size is "in characters".
In the Unicode world, it's wrong to use SizeOf for buffer size in
characters.
We made this mistake. Others also made the same mistake.
For example:
http://delphi.about.com/cs/adptips2001/a/bltip0401_3.htm
...
Buffer: array[0..2047] of Char
...
GetPrivateProfileString('InternetShortcut',
PChar('URL'), NIL, Buffer, SizeOf(Buffer),
PChar(dir+searchrec.Name))
...
In the end, if you find bugs in our open source project, please contact
us. We will put your name in the "Thanks" part here:
http://code.google.com/p/auxbrowser/wiki/TechnicalDetails
Best Wishes,
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists