Home page logo
/

basics logo Security Basics mailing list archives

Re: store passwords securely in the internet
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Fri, 9 Apr 2010 17:55:48 +0200

Hi Andre,

2010/4/6 Andre Pawlowski <sqall () h4des org>:
Hi guys,

I've written a program to store your passwords secure in a container on a
server.

The whole project is written in php. A weak point of the program is the http
protocol. When the user doesn't use https to transfer the data the passwords
will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of you send
me any critics or suggestions.


Your script does not properly check the input parameters, except that
strpos('./') check.
There are XSS Bugs which can lead to several vulns.
I didn't check it intensely, but I believe your failing strpos()-test
can lead to a directory traversal attack, which may lead to files
being overwritten without permission (for example destroying someone
else's password-safe or crushing systems config files).

Check out this link
 http://narkolayev-shlomi.blogspot.com/2010/04/directory-traversal-fuzz-list.html

Regards

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault