With DK

OWASP Talk: PHP Code Analysis: Real World Examples

dk — Wed, 19 Mar 2008 13:38:23 +0000

There have been some delays around the next London OWASP meeting, but its currently set for Thu, 3 Apr 2008.

If it all goes ahead with plan, I’ll be speaking on PHP Code Analysis, so if your around and have a night free please feel free to join in.

Persists Software XUpload Buffer Overflow

admin — Tue, 26 Feb 2008 15:23:21 +0000

I discovered a buffer overflow in Persist Software XUpload package while researching ActiveX exploitation.

XUpload is prone to a buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An exploit is in the wild. See the SecurityFocus advisory for more details.

Livelink UTF-7 XSS Vulnerability

admin — Thu, 31 Jan 2008 14:17:05 +0000

Release date: 31/Jan/2008
Last Modified: N/A
Author: David Kierznowski http://withdk.com
Application: Linklink <= 9.7.0
Risk: Medium

Full advisory available here.

Textlinkads SQL Injection Vulnerability released

admin — Fri, 18 Jan 2008 14:41:14 +0000

BlogSecurity: WP Textlinkads SQL Injection Advisory

I left it with them for 2 weeks before disclosing the advisory. It was fixed within 24hrs of release.

Full Disclosure Saga Continues

admin — Mon, 14 Jan 2008 16:46:43 +0000

So its now been 20 days since finding and disclosing a criticial SQL injection issue that has the potential to affect 20,000 websites. See my first post here.

I have bounced a few E-Mails off the CEO, and he has kept in touch, however, nothing yet. So that means I have now left 20K of websites at risk for 20 days and counting…

The bigger players (Microsoft, Cisco etc) with more experience have procedures in place to deal with security issues like this, so "responsible" disclosure makes sense, but by the time this advisory is released, I would have spent the same amount of time (if not more) disclosing the vulnerability then actually researching the vulnerability.

These things are never as black and white as they first appear.

Fire and Flames

admin — Thu, 03 Jan 2008 16:28:22 +0000

I found an SQL Injection vulnerability in a peice of software that according to the site may affect over 20,000 websites. I have kept the advisory and proof of concept exploit private, but am curious how long it will take for the vendor to release a fix.

I have often felt that full-disclosure (FD) is the way forward. In other words, we release first and ask questions later. This approach appears to have ‘inspired’ vendors to patch more efficiently in the past, but at the same time it alerts the bad guys to write more exploits!

The argument by FD is that attackers may already be exploiting the vulnerability in the wild and that by releasing FD the security researcher is merely putting out a warning - as one would if a dam wall was about to collapse.

If we can measure and detect attacks on a global scale this argument may be addressed and debated in a better light. I do think FD can be terribly destructive if used by attention seekers who may choose not to release the advisory to the vendor at all.

Added new content

admin — Wed, 26 Dec 2007 00:44:16 +0000

Its taking longer to find, order and place content then originally thought, however, it really gives one perspective with regards to achievements.

I have added content to both the Articles and News/Interview Sections.

Content Added
In Articles:
* Paper: Ad-Jacking - XSSing for Fun and Profit
* Presentation: Automated Web FOO or FUD?
In News & Interviews:
* Survey: Finds Most WordPress Blogs Vulnerable
* Vul: Adobe Acrabat JavaScript Vulnerabilities

WithDK site in progress

admin — Sun, 23 Dec 2007 22:39:17 +0000

WithDK.com site development in progress.