dous
in any language. Even if you have a mathematics background.
If you can't afford to hire a cryptography expert to audit your library
before you publish it, you should seriously consider using one that the
community has already reviewed for free.
Scott Arciszewski
Chief Development
--'
I hope you find my proposal to be sane and reasonable enough to adhere to,
for the sake of your own applications.
Please share this flowchart with every (especially but necessarily PHP)
programmer you know until these mistakes are era
://github.com/zendframework/zend-crypt
Additionally, anyone whose PCI/whatever compliance is in any way
hinged upon the cryptography that Joomla provided should probably
notify their pen-testers and get re-evaluated with this new
information at their earliest convenience.
That's all from me
Story time, FD.
Hopefully I can save someone else from having to deal with the
frustration of dealing with Bullhorn.
March 3, 2014 - I observed that SendOuts (owned by Bullhorn) didn't
use HTTPS even though it was available, nor HSTS once someone
explicitly accessed the https://webconnect3.sendou
Corrected links:
> https://github.com/anchorcms/anchor-cms/blob/07933dbc7939326bb4973827a0934d1a610851d1/system/helpers.php#L55-L59
> https://github.com/anchorcms/anchor-cms/blob/66581e5969029e7b6dfddfe3326bb9f15f27b859/anchor/libraries/hash.php#L15
Scott Arciszewski
Chief Development O
e just as bad.
In publishing this, we hope that the AnchorCMS development team is
able to wake up and reconnect with the community, and more importantly
that the community is willing to help them fix the myriad of security
vulnerabilities that probably lurk beneath the surface.
Scott A
On Wed, Aug 12, 2015 at 9:48 AM, dxw Security wrote:
> Details
>
> Software: OAuth2 Complete For WordPress
> Version: 3.1.3
> Homepage: http://wordpress.org/plugins/oauth2-provider/
> Advisory report:
> https://security.dxw.com/advisories/the-oauth2-complete-plugin-for-wordpress-
to communicate privately with someone else, the
solution is to use TextSecure and/or Signal. (If you aren't already
using these free apps, why not?)
And please, if you're going to roll your own cryptography, don't deploy it.
http://www.cryptofails.com/post/75204435608/write-crypto
ectness of their implementations. PHP, Java, .NET, Python, you name it.
Keep us in mind if you (or your employer, if applicable) needs such a
service.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
__
ion in other popular languages):
- https://github.com/defuse/php-encryption
- https://github.com/zendframework/zend-crypt
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
___
Sent through th
>
> Advisory Timeline
>
> 05/03/2015 - First Contact
> 06/05/2015 - Vulnerability fixed
> 11/05/2015 - Advisory released
>
I'm honestly surprised it took their team two months to fix this. I've
previously reported issues via HackerOne and they were on it within a day.
If anyo
n, Apr 27, 2015 at 10:41 PM, Scott Arciszewski
> wrote:
>
>> The author added a note on his page: http://klikki.fi/adv/wordpress2.html
>>
>> Also, searching HackerOne does not reveal a public WordPress program, only
>> WP-API. Does this mean that WordPress was privatel
The author added a note on his page: http://klikki.fi/adv/wordpress2.html
Also, searching HackerOne does not reveal a public WordPress program, only
WP-API. Does this mean that WordPress was privately participating in
HackerOne for select hackers? If so, revealing that publicly is kind of
rude. :(
Using MySQL column truncation to trick an XSS past their filter... clever.
I never would have thought to do that. :)
On Sun, Apr 26, 2015 at 4:13 PM, Jouko Pynnonen wrote:
> *Overview*
> Current versions of WordPress are vulnerable to a stored XSS. An
> unauthenticated attacker can inject JavaSc
y issue
I didn't find any exploitable flaws in their encryption implementation. I
might look again soon.
The takeaway: If any Laravel developers are reading this: If you have
foregone server-side session storage, please make sure you have encryption
turned on.
Scott Arciszewski
Chief Development Off
y libraries. Also, encryption is not authentication. Go play
with the Matasano Crypto Challenges for more on "unauthenticated CBC mode
is not secure".
Thank you and good night.
Scott Arciszewski
P.S. If anyone is interested in learning more about writing secure PHP
code, the http://www.securin
Since my last post, I have learned from Andrew Nacin (the lead developer of
WordPress and security team member that I was corresponding with) that my
emails weren't ignored, they were lost to an aggressive spam filter.
Despite this, he has admitted fault for not following up on the bug report.
Be
>
> Security Risk:
> ==
> The security risk of the security vulnerability in the facebook framework
> is estimated as critical. (CVSS 9.1)
>
Care to run that calculation by us?
On Wed, Feb 11, 2015 at 9:53 AM, Vulnerability Lab <
resea...@vulnerability-lab.com> wrote:
> Document Titl
Ticket opened: 2014-06-25
Affected Versions: ALL
Problem: No CSPRNG
Patch available, collecting dust because of negligent (and questionably
competent) WP maintainers
On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
cryptographically secure pseudorandom number generator,
eginning of the string in order to run a lenth extension attack.
Cheers,
Nahu.-
On Tuesday, 28 October 2014, Scott Arciszewski wrote:
> ... or more accurately, asleep at the wheel!
>___
> _/ STO
... or more accurately, asleep at the wheel!
___
_/ STORY TIME (feel free to skip this if you don't care) \__
|
r production, I wouldn't touch with a million foot
> stick.
>
>
> On Sun, Aug 17, 2014 at 8:22 PM, Scott Arciszewski
> wrote:
> > If any of you are familiar with Stephen Gibson's SQRL protocol for user
> > authentication (really neat idea), you might have come a
If any of you are familiar with Stephen Gibson's SQRL protocol for user
authentication (really neat idea), you might have come across this PHP
implementation before: https://github.com/geir54/php-sqrl
Unfortunately, this library is actually pretty terrible. Not only does it
pass all of the data of
I linked to it earlier. You can also try https://zinesnn5qzdr6tpg.onion.to/
and https://zinesnn5qzdr6tpg.tor2web.org/
On Sat, Jul 19, 2014 at 9:20 AM, Kirk Durbin wrote:
> Here is an awesome archve of said hacker ezines. Unfortunately, I don't
> think there is a clearnet mirror.
>
> http://zine
They still happen, just most intrusions aren't that impressive.
http://chippyits5cqbd7p.onion
http://zinesnn5qzdr6tpg.onion
Go nuts :)
On Thu, Jul 10, 2014 at 6:19 AM, wrote:
> Hi,
>
> I am way too fresh in infosec to have seen many of the classic ezine txt
> files as they first appeared, but
Hi FD,
So I got bored/felt nostalgia and decided I would go through the hotscripts
website and audit the top 10 most popular PHP scripts (PHP being my most
proficient language). Y'know, for practice or something.
Unfortunately, there were a number of factors that frustrated this effort:
* Most of
"Ethical" is always a matter of perspective. "Legal" and "effective" are
the relevant points of contention.
On Wed, May 28, 2014 at 10:29 PM, Brian M. Waters
wrote:
> So far the thread of discussion here has focused on whether or not
> Weev's plan would /actually work/. But lets take a step bac
Brilliant but never going to work; it will undoubtedly gain a lot of
opposition that will probably prevent it from getting off the ground.
Usually through weev getting V&hammered again :(
On Tue, May 27, 2014 at 2:49 PM, Philip Cheong wrote:
> From https://www.startjoin.com/trollc
>
> *Right no
Background info and boring history shit:
https://scott.arciszewski.me/research/view/php-framework-timing-attacks-object-injection
Vulnerability:
1. Remote timing attack
2. PHP Object Injection
3. Possibly, as a result of 2, remote code execution
Affects:
- CodeIgniter (<= 2.1.4)
- Kohana (<= 3.2.
Vendor: http://quickbase.intuit.com
Intuit QuickBase sells itself as a combination database and business
intelligence tool. Its performance is terrible; however, that doesn't stop
some businesses from using it as the back-end for their apps.
A fun fact that they don't advertise is that they limit
30 matches
Mail list logo
