Hi Jordan, Thank you for your offer. As you know, I've signed up a couple of days ago. I ran a scan yesterday and have gotten a big PDF file out of it. I've quickly scanned through the results and it appears there are a lot of times when I use one of my own functions (sometimes even without an argument) it finds a vulnerability. I will analyze the results more detailed later on. Would you appreciate comments on the service? Thanks again, Ivo On Tue, 28 Nov 2006 14:19:30 +0800, Jordan Forssman wrote: > Hi, > > My name is Jordan Forssman, I am representing a company called Armorize > Technologies. We have developed a source code analysis platform for PHP, > called CodeSecure, which scans source code for SQL injection, cross site > scripting, command injection, etc, vulnerability. The tool will tell you > exactly which line the vulnerability is on, explain the propagation of > the tainted variables, and assist you in fixing the bug. I believe this > tool will help you verify the security of your application and will be > able to do so very quickly. At the moment we are scanning around 20 000 > lines in under 5 minutes, or 1M in about 2 minutes, depending on the > application. > > Currently we are accepting applications for trial accounts, if you would > like to use our tool to scan your code please log on to > http://www.armorize.com/events/trialapplication and submit the form. > We are just starting our sales and marketing effort so I hope you can > use our product and give us some feedback. > > If you want to know more about our company and product you can find us > at: www.armorize.com , download our datasheets and whitepapers at > www.armorize.com/resources/download . > > The trial is free and can be accessed over the Web, we are using the > trials as a test case for offering the product as a service and also to > promote the product. Once I receive your application I will send you an > e-mail with a quickstart guide and login details. > > If you have any questions, please feel free to contact me anytime. > > Best Regards, > > Jordan Forssman > Sales Manager > Armorize Technologies > Tel. +886-2-6616-0100 ext. 201 > Cell. +886-938-100-214 > Fax. +886-2-6616-1100 > Skype: jordan4z > jordan@xxxxxxxxxxxx > jordan4z@xxxxxxxxxxx > > > -----Original Message----- > From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx] > Sent: Monday, November 27, 2006 6:01 PM > To: php-general@xxxxxxxxxxxxx > Subject: Re: Please hack my app > > On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > >> Hi List, >> >> As this subject may start you wondering what the hell I'm thinking, > let me >> clearify: >> >> I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last > 12 >> months or so. It facilitates storage of DNA mutations and the >> corresponding patient data. Because patient data is involved, privacy > is >> very important. >> Now of course I read lots of pages on SQL injection and whatnot, and I >> strongly believe my application is protected from this kind of abuse. >> However, believing is not enough. I've had some comments in the past > about >> security (previous version of the software) and although I didn't > agree to >> the critic, I want to be able to say the new app went though various > forms >> of attacks. This month, I want to release 2.0-alpha-01... >> >> *** THIS IS NOT ABOUT HACKING THE SERVER *** >> But about getting in the application when you're not allowed to! >> >> If you feel like helping me out, it's located at >> http://chromium.liacs.nl/LOVDv.2.0-dev/ >> >> 1) Please try to get in. There's one account in the system, a database >> administrator, capable of doing anything. If you get in, you can > easily >> create a new user using the setup tab. This will be the prove of you >> breaking my security rules. >> >> 2) Can you manage to view unpublic data? Using the Variants tab, you >> can see there is currently one entry in the database (with two > mutations). >> This entry has a hidden column, called 'Patient ID'. There is a >> text-string in that column. If you can tell me what that string is, > you >> win :) >> >> 3) Feel free to register as a submitter to see if that gives you any >> rights that you shouldn't have. A submitter is only capable of adding > new >> data to the database (Submit tab), but that data will not be published >> immediately. >> >> 4) After a while, I will release login details of a curator account. > This >> user is allowed to see non-public data and handle the specific gene, > but >> NOT create new users or the like. >> >> >> If you have any questions, please ask. Thank you in advance for using > your >> expertise for the good cause :) > > In case anyone is interested; I've created a low-level user > ('untrusted') > in the system. Password is equal to username. Feel free to try and do > stuff you're not supposed to, like creating a new user or creating a > gene. > > Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
