On Sun, 2005-02-20 at 21:26 +0200, Willem Koenings wrote:
> Yes, and thats why i said, that original quote is not always true
> because it is differently understandable. If i know one specific flaw
> or vulnerability, then i specifically can test against presence or
> absence of that specific flaw
[quote]
3) (and based on a recent example, I just can't find the reference... it was
some PHP app): Input URLs are examined for "../" and converted into "./".
The function worked correctly, no flaw from a programming perspective.
However, input of ".../" was converted to "../" as planned, but leav
On Sun, 20 Feb 2005 10:50:47 -0600, Frank Knobbe <[EMAIL PROTECTED]> wrote:
> The point is that often code works correctly, stable and secure, and
> does what the programmer intended to do. However, sometimes the
> programmer overlooked a condition to check for. The lack of that check
> is not a
On Sun, 2005-02-20 at 01:09 +0200, Willem Koenings wrote:
> > I've seen cases where user input is correctly sanitized, but there was a
> > flaw.
>
> Can you please bring an example?
I'll give you three:
1) User input is passed to a function which sanitizes the input by
converting "dangerous" ch
On Sun, 20 Feb 2005 01:09:29 +0200, Willem Koenings said:
> 3. testing doesn't reveal absence of unknown flaw
> 4. testing doesn't reveal absence of all unknown flaws
Think for a moment - would you *ever* be able to go to your boss and say:
"I've finished testing the program, and even though the
On Sat, 19 Feb 2005 10:14:31 -0600, Frank Knobbe <[EMAIL PROTECTED]> wrote:
> On Sat, 2005-02-19 at 16:12 +0200, Willem Koenings wrote:
> > - user input is correctly sanitized and there is no flaw
> > - use input is not correctly sanitized and there is a flaw
>
> I've seen cases where user input i
On Sat, 2005-02-19 at 16:12 +0200, Willem Koenings wrote:
> - user input is correctly sanitized and there is no flaw
> - use input is not correctly sanitized and there is a flaw
I've seen cases where user input is correctly sanitized, but there was a
flaw.
If you tested your whole parameter set a
On Fri, 18 Feb 2005 16:49:03 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> On Fri, 18 Feb 2005 16:04:52 EST, bkfsec said:
>
> > Are you aware of any server software that has been so rigorously tested
> > that it has no flaws at all?
> >
> > That would be one hell of a find...
>
> "Testing
On Fri, 18 Feb 2005 16:04:52 EST, bkfsec said:
> Are you aware of any server software that has been so rigorously tested
> that it has no flaws at all?
>
> That would be one hell of a find...
"Testing can reveal the presence of flaws, but not their absence" -- E. Dijkstra
So yeah, it *would*
Ill will wrote:
just like just about every other webserver gets hacked, they use third
party server software that hasnt gone through enough rigorous testing
to make sure its not vulnerable to any flaws.. simple search on google
will give you the answer
I don't doubt the concept of what you're sa
just like just about every other webserver gets hacked, they use third
party server software that hasnt gone through enough rigorous testing
to make sure its not vulnerable to any flaws.. simple search on google
will give you the answer
On Thu, 17 Feb 2005 16:12:07 -0500, Dave Ockwell-Jenner
<[EM
Wait untill he's out (or earlier), a book will no doubt be written :-)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
gf gf wrote:
PS Doesn't the secret service use a classification
system, like the mil, that would prevent sending
highyl sensitive emails in the clear? From what I've
read, the guy compromised highly sensitive reports and
documentation. Does any mobile carrier support PGP or
some other end-to-end
Anyone know how the dude who hacked into T-Mobil's
network ( http://securityfocus.com/news/10516 )
actually did so? Now that's it gone to court, the
data should be in the public record (anyone have any
lawyer friends who can get a transcript?)
In general, I think it would be invaluable to the
com
14 matches
Mail list logo
