Test-suite for a password protected website

Joshua Goodall joshua at roughtrade.net
Mon Dec 29 05:36:39 CST 2003


On Mon, Dec 29, 2003 at 06:27:49PM +1100, David Dick wrote:
> If they are completely unaware of the 
> test-suite, no harm will come to them.  So for me, a very acceptable 
> compromise, thank you Mr Eriksen.  only problem is that i feel like an 
> idiot for not thinking of it myself. :)

Using code that represents a well-known security error cannot be recommended
without major, major caveats about usage.

For example, Leif - there have been plenty of application vulnerabilities
that have allowed people to run commands like "ps" *without* obtaining
shell access, as you've erroneously assumed.  Very few of them would
be stopped by a firewall, and I expect there will be more in future.

I have discovered such vulnerabilities during audits of commercial
software (a memorable case was an unsafe use of "ls" in a commercial
ftp server).

The rest of the "gives us more time" items you've listed seem like
pretty trivial barriers in these days where real black-hats can and
do write invasive kernel modules (c.f. recent Debian compromise).

So David - please don't ever pass a password you care about via
an environment variable.

- J

-- 
Joshua Goodall                           "as modern as tomorrow afternoon"
joshua at roughtrade.net                                       - FW109
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mail.pm.org/archives/melbourne-pm/attachments/20031229/32161fa1/attachment.bin


More information about the Melbourne-pm mailing list