Screenshot for anyone who might have missed it (before cache is removed): http://img842.imageshack.us/img842/7351/sansphpportscannerfdpng.png
On Thu, Mar 7, 2013 at 7:53 PM, adam <[email protected]> wrote: > The original page has been deleted? > > > On Thu, Mar 7, 2013 at 7:50 PM, Christian Sciberras <[email protected]>wrote: > >> Andrew, >> >> >> You realize this guy is trying to advise people through a tutorial? >> It's not like we're talking about average Joe shipping buggy software... >> people *teaching bad practices,* especially in this field should be shot >> dead >> before they do any more damage. >> >> You just can't learn how to code by teaching others to do it wrongly. >> >> Pointing back to my comprehensive list, the author missed some of >> the very basics of programming in general (undefined variables, no >> indentation..). >> >> >> Chris. >> >> >> On Fri, Mar 8, 2013 at 2:14 AM, Andrew King <[email protected]>wrote: >> >>> Has anyone considered that loads of stuff is shipped bugged? >>> >>> I mean it's not like they hosted it on their site executable. It's also >>> not like we're talking about vsftpd where it's installed for a legitimate >>> purpose on millions if not billions of PCs. >>> >>> The million eyeball test and trolling a company where one person might >>> have to read 15 articles a day in addition to actual job duties are not >>> even in the same realm. Add to that maybe backdoor software like sub7 had >>> administrative access backdoors. The list goes on. All I'm saying is >>> don't be dense. >>> >>> >>> On Wed, Mar 6, 2013 at 2:57 AM, Christian Sciberras >>> <[email protected]>wrote: >>> >>>> Ulisses, >>>> >>>> No, I'm blaming developers that are not in the field of security for >>>> this mess. >>>> >>>> Chris. >>>> >>>> >>>> On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro < >>>> [email protected]> wrote: >>>> >>>>> Christian >>>>> >>>>> If you're reading my email as "it's the developers' fault", then you >>>>> got it wrong -- I've been a developer for most of my life. And while >>>>> things >>>>> have gotten better in the last years, there are still tons of "build your >>>>> blog 15 minutes" or "develop a twiiter clone in 2h" >>>>> tutorials/advertisements for various platforms and languages out there >>>>> which either assume security is a non-issue, or assume the >>>>> platform/language will take care of it for you. >>>>> >>>>> Heck, the manpages for some libc functions on non-GNU platforms still >>>>> show vulnerable code in examples. perldoc is riddled with code that is >>>>> just >>>>> enough to show how a given function should be used, but with no validation >>>>> whatsoever. I remember reading the training material for an Oracle product >>>>> (sorry, I really can't recall the name) which touted being able to have >>>>> the >>>>> application security handled by infrastructure/middleware componentes as a >>>>> desirable feature. >>>>> >>>>> So while I'd agree that we are getting better at this, we're still far >>>>> from ideal. The canonical "hello world" for most languages/platforms out >>>>> there, in most cases, still does not make explicit references to security >>>>> issues. >>>>> >>>>> >>>>> On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <[email protected] >>>>> > wrote: >>>>> >>>>>> The article actually recommends looking for information from >>>>>> www.w3schools.com <http://www.w3fools.com>?! >>>>>> >>>>>> Here's a few other obviously missing things: >>>>>> - script requires input but does not check for it (very bad PHP >>>>>> practice) >>>>>> - what the hell is with that code? Ever heard about indentation? >>>>>> - there should be some very basic sanitization; ints be ints and >>>>>> strings be strings >>>>>> - hiding all errors, that was a very smart thing to do.... >>>>>> - early 20's html and css coding style to boot >>>>>> >>>>>> Regarding the tool itself, obviously it's not meant to be used >>>>>> publicly, hence why I could close my eye in this respect. >>>>>> >>>>>> UIlisses, developers already do this. Actually, they've been doing it >>>>>> for quite some time. >>>>>> Perhaps the "security experts" writing tutorials as in that article >>>>>> should follow? >>>>>> >>>>>> >>>>>> On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> +1 >>>>>>> On 6 Mar 2013 10:41, "Ulisses Montenegro" < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Not including proper input validation and error handling in code >>>>>>>> samples is one of the most common and harmful practices in the software >>>>>>>> development industry -- doing it is not "optional" or "advanced", it is >>>>>>>> mandatory unless you want to be pwned. >>>>>>>> >>>>>>>> Developers need to start doing things properly from the very >>>>>>>> beginning, as habits become harder and harder to change with >>>>>>>> experience. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 6, 2013 at 7:33 AM, Benji <[email protected]> wrote: >>>>>>>> >>>>>>>>> Actually, adding input sanitisation really wouldnt increase the >>>>>>>>> code size that much. Are you just incompetent? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Dear list, >>>>>>>>>> >>>>>>>>>> Well, I suppose this had to be a proof-of-concept piece of code >>>>>>>>>> to demonstrate how port scanning can be done in PHP, not a >>>>>>>>>> production-grade >>>>>>>>>> software. Adding input sanitization would increase the code size by >>>>>>>>>> a lot >>>>>>>>>> and obscure the concept somewhat (not that there is much to be said >>>>>>>>>> anout >>>>>>>>>> the concept though). Think we can give the dude some discount for >>>>>>>>>> that. >>>>>>>>>> >>>>>>>>>> Nevertheless, seeing something like this coming from "Certified >>>>>>>>>> Ethical Hacker and Security + certified" makes me doubt the >>>>>>>>>> worthness of >>>>>>>>>> those certificates. Could be nice to know the exact naming of those >>>>>>>>>> certificates to properly disregard them in the future. >>>>>>>>>> >>>>>>>>>> With best regards, >>>>>>>>>> Z. >>>>>>>>>> >>>>>>>>>> 2013/3/6 laurent gaffie <[email protected]> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ >>>>>>>>>>> >>>>>>>>>>> Finding the vulnerability in this code is left as an exercise to >>>>>>>>>>> the reader. >>>>>>>>>>> >>>>>>>>>>> PS: "*Your comment will be awaiting moderation forever."* >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> “If debugging is the process of removing software bugs, then >>>>>>>> programming must be the process of putting them in.” - *Edsger >>>>>>>> Dijkstra* >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> “If debugging is the process of removing software bugs, then >>>>> programming must be the process of putting them in.” - *Edsger >>>>> Dijkstra* >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
