Hi Ivo, Sorry for the late reply, I have been traveling. I am assigning someone to your case who will assist you in understanding the cause of the inclusion of the vulnerability in your own functions. To my understanding it is that it could be the result of a repetition of an instance discovered in your function. If you are then to include the function a number of times, the vulnerability will be identified in all those instances. However, I am assigning someone to this question who will give you a better answer, his name is Chris. As to your comments, I would greatly appreciate them. Thanks and all the best, Jordan Forssman Sales Manager Armorize Technologies US: Tel: +1-408-512-4052 ext. 201 Fax: +1-408-247-1570 TW: Tel. +886-2-6616-0100 ext. 201 Cell. +886-938-100-214 Fax. +886-2-6616-1100 Skype: jordan4z jordan4z@xxxxxxxxxxx -----Original Message----- From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx] Sent: Saturday, December 02, 2006 12:26 AM To: php-general@xxxxxxxxxxxxx Subject: Re: FW: Re: Please hack my app Hi Jordan, Thank you for your offer. As you know, I've signed up a couple of days ago. I ran a scan yesterday and have gotten a big PDF file out of it. I've quickly scanned through the results and it appears there are a lot of times when I use one of my own functions (sometimes even without an argument) it finds a vulnerability. I will analyze the results more detailed later on. Would you appreciate comments on the service? Thanks again, Ivo On Tue, 28 Nov 2006 14:19:30 +0800, Jordan Forssman wrote: > Hi, > > My name is Jordan Forssman, I am representing a company called Armorize > Technologies. We have developed a source code analysis platform for PHP, > called CodeSecure, which scans source code for SQL injection, cross site > scripting, command injection, etc, vulnerability. The tool will tell you > exactly which line the vulnerability is on, explain the propagation of > the tainted variables, and assist you in fixing the bug. I believe this > tool will help you verify the security of your application and will be > able to do so very quickly. At the moment we are scanning around 20 000 > lines in under 5 minutes, or 1M in about 2 minutes, depending on the > application. > > Currently we are accepting applications for trial accounts, if you would > like to use our tool to scan your code please log on to > http://www.armorize.com/events/trialapplication and submit the form. > We are just starting our sales and marketing effort so I hope you can > use our product and give us some feedback. > > If you want to know more about our company and product you can find us > at: www.armorize.com , download our datasheets and whitepapers at > www.armorize.com/resources/download . > > The trial is free and can be accessed over the Web, we are using the > trials as a test case for offering the product as a service and also to > promote the product. Once I receive your application I will send you an > e-mail with a quickstart guide and login details. > > If you have any questions, please feel free to contact me anytime. > > Best Regards, > > Jordan Forssman > Sales Manager > Armorize Technologies > Tel. +886-2-6616-0100 ext. 201 > Cell. +886-938-100-214 > Fax. +886-2-6616-1100 > Skype: jordan4z > jordan@xxxxxxxxxxxx > jordan4z@xxxxxxxxxxx > > > -----Original Message----- > From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx] > Sent: Monday, November 27, 2006 6:01 PM > To: php-general@xxxxxxxxxxxxx > Subject: Re: Please hack my app > > On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote: > >> Hi List, >> >> As this subject may start you wondering what the hell I'm thinking, > let me >> clearify: >> >> I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last > 12 >> months or so. It facilitates storage of DNA mutations and the >> corresponding patient data. Because patient data is involved, privacy > is >> very important. >> Now of course I read lots of pages on SQL injection and whatnot, and I >> strongly believe my application is protected from this kind of abuse. >> However, believing is not enough. I've had some comments in the past > about >> security (previous version of the software) and although I didn't > agree to >> the critic, I want to be able to say the new app went though various > forms >> of attacks. This month, I want to release 2.0-alpha-01... >> >> *** THIS IS NOT ABOUT HACKING THE SERVER *** >> But about getting in the application when you're not allowed to! >> >> If you feel like helping me out, it's located at >> http://chromium.liacs.nl/LOVDv.2.0-dev/ >> >> 1) Please try to get in. There's one account in the system, a database >> administrator, capable of doing anything. If you get in, you can > easily >> create a new user using the setup tab. This will be the prove of you >> breaking my security rules. >> >> 2) Can you manage to view unpublic data? Using the Variants tab, you >> can see there is currently one entry in the database (with two > mutations). >> This entry has a hidden column, called 'Patient ID'. There is a >> text-string in that column. If you can tell me what that string is, > you >> win :) >> >> 3) Feel free to register as a submitter to see if that gives you any >> rights that you shouldn't have. A submitter is only capable of adding > new >> data to the database (Submit tab), but that data will not be published >> immediately. >> >> 4) After a while, I will release login details of a curator account. > This >> user is allowed to see non-public data and handle the specific gene, > but >> NOT create new users or the like. >> >> >> If you have any questions, please ask. Thank you in advance for using > your >> expertise for the good cause :) > > In case anyone is interested; I've created a low-level user > ('untrusted') > in the system. Password is equal to username. Feel free to try and do > stuff you're not supposed to, like creating a new user or creating a > gene. > > Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
