Hi, My name is Jordan Forssman, I am representing a company called Armorize Technologies. We have developed a source code analysis platform for PHP, called CodeSecure, which scans source code for SQL injection, cross site scripting, command injection, etc, vulnerability. The tool will tell you exactly which line the vulnerability is on, explain the propagation of the tainted variables, and assist you in fixing the bug. I believe this tool will help you verify the security of your application and will be able to do so very quickly. At the moment we are scanning around 20 000 lines in under 5 minutes, or 1M in about 2 minutes, depending on the application. Currently we are accepting applications for trial accounts, if you would like to use our tool to scan your code please log on to http://www.armorize.com/events/trialapplication and submit the form. We are just starting our sales and marketing effort so I hope you can use our product and give us some feedback. If you want to know more about our company and product you can find us at: www.armorize.com , download our datasheets and whitepapers at www.armorize.com/resources/download . The trial is free and can be accessed over the Web, we are using the trials as a test case for offering the product as a service and also to promote the product. Once I receive your application I will send you an e-mail with a quickstart guide and login details. If you have any questions, please feel free to contact me anytime. Best Regards, Jordan Forssman Sales Manager Armorize Technologies Tel. +886-2-6616-0100 ext. 201 Cell. +886-938-100-214 Fax. +886-2-6616-1100 Skype: jordan4z jordan@xxxxxxxxxxxx jordan4z@xxxxxxxxxxx -----Original Message----- From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx] Sent: Monday, November 27, 2006 6:01 PM To: php-general@xxxxxxxxxxxxx Subject: Re: Please hack my app On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > Hi List, > > As this subject may start you wondering what the hell I'm thinking, let me > clearify: > > I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last 12 > months or so. It facilitates storage of DNA mutations and the > corresponding patient data. Because patient data is involved, privacy is > very important. > Now of course I read lots of pages on SQL injection and whatnot, and I > strongly believe my application is protected from this kind of abuse. > However, believing is not enough. I've had some comments in the past about > security (previous version of the software) and although I didn't agree to > the critic, I want to be able to say the new app went though various forms > of attacks. This month, I want to release 2.0-alpha-01... > > *** THIS IS NOT ABOUT HACKING THE SERVER *** > But about getting in the application when you're not allowed to! > > If you feel like helping me out, it's located at > http://chromium.liacs.nl/LOVDv.2.0-dev/ > > 1) Please try to get in. There's one account in the system, a database > administrator, capable of doing anything. If you get in, you can easily > create a new user using the setup tab. This will be the prove of you > breaking my security rules. > > 2) Can you manage to view unpublic data? Using the Variants tab, you > can see there is currently one entry in the database (with two mutations). > This entry has a hidden column, called 'Patient ID'. There is a > text-string in that column. If you can tell me what that string is, you > win :) > > 3) Feel free to register as a submitter to see if that gives you any > rights that you shouldn't have. A submitter is only capable of adding new > data to the database (Submit tab), but that data will not be published > immediately. > > 4) After a while, I will release login details of a curator account. This > user is allowed to see non-public data and handle the specific gene, but > NOT create new users or the like. > > > If you have any questions, please ask. Thank you in advance for using your > expertise for the good cause :) In case anyone is interested; I've created a low-level user ('untrusted') in the system. Password is equal to username. Feel free to try and do stuff you're not supposed to, like creating a new user or creating a gene. Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php