Test-suite for a password protected website
Joshua Goodall
joshua at roughtrade.net
Mon Dec 29 05:36:39 CST 2003
On Mon, Dec 29, 2003 at 06:27:49PM +1100, David Dick wrote:
> If they are completely unaware of the
> test-suite, no harm will come to them. So for me, a very acceptable
> compromise, thank you Mr Eriksen. only problem is that i feel like an
> idiot for not thinking of it myself. :)
Using code that represents a well-known security error cannot be recommended
without major, major caveats about usage.
For example, Leif - there have been plenty of application vulnerabilities
that have allowed people to run commands like "ps" *without* obtaining
shell access, as you've erroneously assumed. Very few of them would
be stopped by a firewall, and I expect there will be more in future.
I have discovered such vulnerabilities during audits of commercial
software (a memorable case was an unsafe use of "ls" in a commercial
ftp server).
The rest of the "gives us more time" items you've listed seem like
pretty trivial barriers in these days where real black-hats can and
do write invasive kernel modules (c.f. recent Debian compromise).
So David - please don't ever pass a password you care about via
an environment variable.
- J
--
Joshua Goodall "as modern as tomorrow afternoon"
joshua at roughtrade.net - FW109
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mail.pm.org/archives/melbourne-pm/attachments/20031229/32161fa1/attachment.bin
More information about the Melbourne-pm
mailing list