Aug 01 2007

securityfocus.com Are Wrong

Some little asswipe sent in a vulnerability report to securityfocus.com (the same site Amelie had faux report problems with; which just happens to mirror to thousands of blogs and security websites across the Internet) claiming that there’s a login issue in BellaBiblio and BellaBook/BellaBuffs (he couldn’t make his mind up with that one) making them insecure. He claims that you can create a cookie called “bellabiblio” with a value of “administrator” and bypass the login security.

This is not true — the code this guy pasted as “proof” of the vulnerability even shows that the cookie is checked for a hashed combination of the username, password and random ‘salt’ all set by the user — and you can’t replicate that without knowing all three of those values.

One of the bug report “BID”s has already been marked as retired because, and I quote: “The original information provided has been proven to be incorrect” but that doesn’t change the fact that the so-called vulnerability is (as I said) on thousands of blogs and security websites.

I love security, and I am very active in reviewing scripts (as many of you know) but I would never publish information so obviously incorrect as that on such a huge website without verifying the allegations with multiple ‘masters’ in the field. We all make mistakes, but maybe he should take a leaf out of my book and keep his mistakes on a website of his own… at least then damage is minimal.

Off

Tags: , , .

Warning

This post is over 6 months old. This means that, despite my best intentions, it may no longer be accurate. Age, motherhood, experience, loss... these things have all changed me from when this blog was started back in the heady (ha) days of my youth.

As much as I would like to go back and edit 10 years of archives to provide an insight into the 'me' of now — to update coding snippets and revise website advice — it would probably take years to do so (by which point I'd have to start again!) This would defeat the point of keeping these archives anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey.

Comments are closed.