#archiveteam-bs 2013-10-25,Fri

↑back Search

Time Nickname Message
00:53 🔗 joepie91 http://localhost.re/p/whmcs-v5210-vulnerability
00:53 🔗 joepie91 again.png
00:55 🔗 GLaDOS I'm so suprised.
02:00 🔗 odie5533 joepie91: give them a few weeks/months
02:00 🔗 odie5533 they'll have it patched in no time
02:13 🔗 godane in about another 5 days i will have video in the top 9 of the computer & technology collection
02:28 🔗 yipdw Kubuntu 13.10, here we go
02:34 🔗 joepie91 odie5533: hehe
02:35 🔗 odie5533 joepie91: how quickly do they actually patch stuff?
02:35 🔗 joepie91 1-3 days
02:35 🔗 odie5533 because from what I've seen, software companies leave stuff vulnerable for 1 week minimum
02:35 🔗 joepie91 approximately as long until a new vuln is found
02:35 🔗 joepie91 well uh
02:35 🔗 joepie91 they can't really afford to
02:35 🔗 odie5533 1-3 days isn't even bad
02:35 🔗 joepie91 odie5533: in their situation? it is
02:36 🔗 odie5533 think of how long bank software stays vulnerable? minutes to hours at most.
02:36 🔗 joepie91 tens-hundreds of hosting companies having client area shut down
02:36 🔗 joepie91 and shouting/screaming at them
02:36 🔗 joepie91 and threatening to leave
02:36 🔗 joepie91 yes, 1-2 is bad
02:36 🔗 joepie91 1-3 *
02:36 🔗 odie5533 guaranteed the banks and stock software is being patched as fast as humanly possible
02:37 🔗 joepie91 yes
02:37 🔗 odie5533 why are the client areas shut down?
02:37 🔗 joepie91 uh, because otherwise a random skid can dump/wipe entire databases
02:37 🔗 joepie91 or gain admin access to servers?
02:37 🔗 joepie91 :|
02:38 🔗 odie5533 I thought the bug was only that anyone could view invoices
02:38 🔗 joepie91 no
02:38 🔗 joepie91 there's an SQLi
02:38 🔗 joepie91 same for previous bugs
02:38 🔗 joepie91 one of them was even arbitrary code eec
02:38 🔗 joepie91 exec *
02:39 🔗 odie5533 Not regarding this, but I always find it funny when people want to create their own PHP framework. It's very hard to create a secure PHP framework.
02:39 🔗 joepie91 odie5533: actually, not really
02:39 🔗 odie5533 this case shows how hard it is even for a large company to create a secure piece of software in PHP using your own framework
02:39 🔗 joepie91 you just need to not be an idiot
02:39 🔗 joepie91 (read: using mysql_)
02:39 🔗 odie5533 it's way more than that...
02:39 🔗 joepie91 like?
02:39 🔗 odie5533 As soon as you get more than one or two SQL queries
02:40 🔗 odie5533 you start needing abstraction
02:40 🔗 odie5533 and then you end up messing up somewhere.
02:40 🔗 odie5533 That's why using a framework is so important because it handles a lot of the security for you.
02:40 🔗 joepie91 wat?
02:40 🔗 joepie91 what does SQL and abstraction have to do with security?
02:41 🔗 odie5533 because people fail at abstracting away SQL
02:41 🔗 odie5533 or they just leave SQL all over the place.
02:41 🔗 joepie91 odie5533: and that reflects on security how?
02:41 🔗 odie5533 joepie91: because then their software is insecure.
02:42 🔗 joepie91 ...
02:42 🔗 odie5533 apparently you don't agree
02:42 🔗 joepie91 odie5533: "SQL all over the place" has absolutely 0 to do with security
02:43 🔗 joepie91 so explain how exactly abstracting away SQL causes security issues
02:43 🔗 joepie91 concretely
02:43 🔗 joepie91 no vague statements
02:43 🔗 odie5533 "SQL all over the place" absolutely has to do with security.
02:43 🔗 joepie91 <joepie91>concretely
02:43 🔗 joepie91 <joepie91>no vague statements
02:43 🔗 joepie91 <joepie91>so explain how exactly abstracting away SQL causes security issues
02:44 🔗 odie5533 okay. Let's say I'm writing an invoice page for my application and I decide to make the SQL queries for the page.
02:44 🔗 odie5533 But wait! I've fucked up the SQL queries and now my application is vulnerable.
02:44 🔗 odie5533 I should have used a library to provide input sanitization and validation instead of creating an SQL injection vulnerability by trying to do it all myself.
02:46 🔗 odie5533 joepie91: maybe you're really good at rolling your own input validation schemes in PHP. I guess I'm not that good. I've found writing them to be tedious, and have gone over old code where I'd completely failed at it.
02:46 🔗 odie5533 I'd rewritten the site using CakePHP, and the CakePHP version didn't appear nearly as vulnerable.
02:47 🔗 * joepie91 sighs
02:47 🔗 joepie91 odie5533
02:47 🔗 joepie91 this has been a solved problem for the past 2 years
02:47 🔗 joepie91 if not more
02:47 🔗 joepie91 it's called "PDO"
02:47 🔗 joepie91 if you're still "sanitizing input in your database queries" then you're doing it wrong to begin with
02:47 🔗 joepie91 parameterized queries
02:48 🔗 joepie91 as I said
02:48 🔗 joepie91 <joepie91>(read: using mysql_)
02:48 🔗 joepie91 <joepie91>you just need to not be an idiot
02:48 🔗 odie5533 I haven't written a single line of PHP in the past 2 years I'm afraid.
02:48 🔗 odie5533 I thought you meant using mysql_ directly instead of using an abstraction layer, as was the recommended way when I was coding and I assume still is.
02:48 🔗 joepie91 right, in that case I can tell you that a secure framework is absolutely trivial to implement if you're not behaving like an idiot (and more often than not, arrogance is the issue, not competence)
02:49 🔗 joepie91 with the current state of PHP
02:49 🔗 joepie91 ...
02:49 🔗 joepie91 no
02:49 🔗 joepie91 it's not
02:49 🔗 joepie91 mysql_ is officially deprecated
02:49 🔗 joepie91 and has been discouraged for at least 4 years
02:49 🔗 joepie91 PDO has been on par speed-wise in the past 2
02:49 🔗 odie5533 hmm, neat
02:49 🔗 odie5533 I still hope I never have to write PHP again :)
02:50 🔗 odie5533 last time I used PHP was 2007-2008
02:52 🔗 joepie91 I can understand that
02:52 🔗 joepie91 I'm just pointing out that "it's hard to write a secure framework" really isn't hard
02:52 🔗 joepie91 er
02:52 🔗 joepie91 really isn't true *
02:52 🔗 joepie91 wow, it's getting late
02:52 🔗 joepie91 my grammar is going derp
02:52 🔗 odie5533 judging by how many vulnerabilities there are in existence, I'd have to disagree
02:52 🔗 odie5533 it seems like writing a secure framework is hard.
02:52 🔗 joepie91 eh
02:53 🔗 joepie91 that's a very very poor metric
02:53 🔗 joepie91 it's in fact completely unrelatetd
02:53 🔗 joepie91 unrelated *
02:53 🔗 joepie91 writing a secure framework being hard or not has nothing to do with amount of vulnerabilities in the wild
02:53 🔗 joepie91 there are MANY more factors involved with that
02:54 🔗 odie5533 Why do you think so many security vulnerabilities end up in frameworks then?
02:54 🔗 joepie91 odie5533: because, as you can see in for example WHMCS, the developers are too stubborn/arrogant/careless to use PDO, or to read up on the basics of how to secure web applications
02:55 🔗 joepie91 SQLi's are still the primary attack vector
02:55 🔗 joepie91 and virtually always it's because a developer used mysql_*
02:55 🔗 odie5533 I've found some myself. And years later they are still there
02:55 🔗 odie5533 found in a homemade website for which the devs didn't use a framework
02:56 🔗 joepie91 again, the problem is not that they didn't use a framework
02:56 🔗 joepie91 the problem is that they used string concatenation
02:56 🔗 odie5533 I think you are overestimating how easy it is to create a secure framework
02:56 🔗 joepie91 you seem very intent on linking vulnerabilities to "not using a pre-made framework", and this is, to put it simply, complete bullshit
02:56 🔗 * joepie91 sighs
02:56 🔗 joepie91 odie5533
02:56 🔗 odie5533 perhaps because you find it easy
02:56 🔗 joepie91 you're speaking to a PHP developer
02:56 🔗 joepie91 who has written his own framework
02:57 🔗 odie5533 Yes. You find it easy.
02:57 🔗 joepie91 and frequently helps others write more secure code
02:57 🔗 odie5533 Not everyone is you
02:57 🔗 joepie91 right, seeing as you're not even letting me finish talking
02:57 🔗 joepie91 I don't think you're actually interested in having a conversation about this
02:57 🔗 joepie91 just in being right
02:57 🔗 joepie91 in which case I have more useful things to do
02:58 🔗 odie5533 I'd just reitrate that although you may find it easy yourself, you are, as you said, helping others create secure applications. Why would they need help if it were so trivial a task? It is not so trivial. You have expertise in the area so it feels trivial to you.
02:59 🔗 * joepie91 facepalms
02:59 🔗 joepie91 okay
02:59 🔗 joepie91 let me be a bit more direct
02:59 🔗 joepie91 odie5533: I KNOW WHAT PEOPLE DO WRONG AND IT'S NOT BECAUSE IT'S HARD, IT'S BECAUSE OF PERSONAL BIAS AND CHARACTER TRAITS
02:59 🔗 joepie91 is that clear enough?
03:00 🔗 joepie91 I have experience on this topic
03:00 🔗 joepie91 you haven't touched PHP for the past 5 years
03:00 🔗 odie5533 I am clear on your opinion, certainly. But I don't agree with it.
03:00 🔗 joepie91 I'm not sure why you're not taking seriously what I say
03:00 🔗 joepie91 odie5533: please go read up on the current state of PHP
03:00 🔗 joepie91 and try again
03:00 🔗 joepie91 you have absolutely no idea what you're talking about, at this point
03:02 🔗 odie5533 I'm surprised you can't see it from another point of view. Even if we factor in personal bias and character traits, it still shows that people are finding it difficult to secure their applications.
03:13 🔗 joepie91 odie5533: look, it's very simple
03:13 🔗 joepie91 your claim: writing secure frameworks is hard
03:13 🔗 arkhive Who here preordered the PS4?
03:13 🔗 joepie91 that claim is provably false
03:13 🔗 joepie91 any discussion around that, fine
03:13 🔗 joepie91 but that does not take away that the claim is false
03:14 🔗 odie5533 On that I disagree.
03:14 🔗 joepie91 relatedly, http://haacked.com/archive/2013/10/21/argue-well-by-losing.aspx
03:14 🔗 joepie91 odie5533: then provide proof
03:14 🔗 arkhive I preordered the Killzone Shadow Fall bundle on Amazon a few months back but only one of my buddies have preordered it. If anyone here has let me know so we can play on launch day
03:14 🔗 odie5533 joepie91: look at all the frameworks with security vulnerabilities
03:14 🔗 joepie91 odie5533: I said proof
03:14 🔗 joepie91 not correlation
03:15 🔗 odie5533 joepie91: I find that to be proof.
03:15 🔗 joepie91 here's the proof that it isn't hard: use PDO, run output through htmlspecialchars unless you want it to be HTML, don't place uploads in a web-accessible directory, add a token to each form
03:15 🔗 joepie91 you're done
03:15 🔗 joepie91 google "writing secure PHP applications", first 5 results will likely tell you the above
03:15 🔗 joepie91 odie5533: it isn't
03:15 🔗 odie5533 What does add a token to each form mean?
03:16 🔗 joepie91 a random string that you store server-side as well to verify that the user really did fill in a form, and it's not a fake request
03:16 🔗 joepie91 match the submitted token against what you have server-side
03:16 🔗 joepie91 and you're done
03:16 🔗 odie5533 to make sure they loaded the form.php page?
03:16 🔗 odie5533 and didn't just do a POST to it?
03:16 🔗 joepie91 to make sure their request comes that form, yes
03:17 🔗 odie5533 ah. That is easily defeated, though it does slow down the bot a bit since it needs two requests now.
03:18 🔗 joepie91 ... no, it isn't
03:18 🔗 joepie91 it doesn't protect against what you think it protects against
03:18 🔗 odie5533 Then what's the purpose?
03:18 🔗 joepie91 it's a CSRF protection; prevents spoofed forms on other sites and iframe attacks
03:18 🔗 odie5533 ah
03:18 🔗 joepie91 http://www.gnucitizen.org/blog/csrf-demystified/
03:20 🔗 odie5533 It seems like there are a lot of attack vectors that a PHP application developer needs to deal with.
03:22 🔗 odie5533 One might even sugggest that it were difficult, or perhaps hard, to secure your site against all of them.
03:28 🔗 * joepie91 facepalms
03:28 🔗 joepie91 odie5533: every. single. thing. I mentioned above is trivial to implement
03:28 🔗 joepie91 and well-documented
03:28 🔗 joepie91 no, it isn't hard
03:28 🔗 joepie91 and if at this point you sttill believe it is, despite not having written PHP for 5 years, then sorry
03:28 🔗 joepie91 but you're really not interested in learning anything
03:29 🔗 joepie91 but just interested in being "right" or at least being able to tell me I'm "wrong"
03:29 🔗 joepie91 in which case, http://haacked.com/archive/2013/10/21/argue-well-by-losing.aspx
03:29 🔗 joepie91 go read that
03:30 🔗 odie5533 that gnucitizen article seems more interesting than the hacked.com one
10:25 🔗 ersi hah, what a discussion
13:59 🔗 Aranje ersi:) that's one way to phrase it :D
13:59 🔗 Jonimus Oh god the please tell me it ain't true ;) http://www.leasticoulddo.com/comic/20131025/
14:04 🔗 Aranje oh man
14:04 🔗 Aranje if fucking only
17:19 🔗 phillipsj I have found the the more money they throw at a website, the harder it is to use.
17:21 🔗 phillipsj The reason is that "Web 2.0" websites each have their own undocumented user-interface. The more money spent of coding, the further the page can diverge from user expectations.
17:33 🔗 ivan` the more money spent on a site, the harder it is to crawl as well
17:34 🔗 ivan` blogspot dynamic views and groups.google.com are impossible without a headless webkit
17:36 🔗 ivan` how youtube-dl extracts signatures from Flash objects https://github.com/rg3/youtube-dl/blob/master/youtube_dl/extractor/youtube.py#L623
19:42 🔗 deathy anyone know/have a good gigabit home router which actually can go up to gigabit on WAN via NAT without any issues?
20:27 🔗 BiggieJo1 deathy: most wont do gig on the WAN side because no one has WAN connection taht fast. You are probably looking at a real Cisco router or similar
20:28 🔗 deathy my ISP starts rolling out 1 Gbps plan from next month
20:28 🔗 BiggieJo1 where is that ?
20:28 🔗 deathy Maybe someone with Google Fiber? ..but I guess they're using the network box provided
20:28 🔗 BiggieJo1 the providor would usually give you the router, or it's included in the CPE
20:30 🔗 deathy where is all over Romania. In all 150 Cities/Towns they have their network built out
20:30 🔗 BiggieJon ahh
20:30 🔗 BiggieJon we dont have service liek taht anywhere in the US without paying thousands a month
20:30 🔗 deathy 1 Gbps download (30-ish Mbps upload) for 18.3 USD/month
20:30 🔗 BiggieJon unless you live in a google fiber area
20:30 🔗 BiggieJon only 30 up ? that kinda sucks
20:31 🔗 BiggieJon guess they have to slow down people runnign servers soemhow
20:32 🔗 BiggieJon are they wiring fiber to every home ?
20:32 🔗 deathy well yeah. But on their nation-wide network it will be 100 Mbps upload
20:33 🔗 BiggieJon :)
20:33 🔗 BiggieJon the things we will never see in the US until we get rid of the RIAA/MPAA
20:33 🔗 deathy fiber+ethernet. I live in a 10-story building, fiber comes into building, 2 equipment boxes and then CAT5 to every apartment
20:34 🔗 BiggieJon nice
20:34 🔗 BiggieJon do you have to pay for install fees ?
20:36 🔗 deathy nope, not now at least. building is wired and I'm their customer since maybe 5-6 years or more. Mostly they just need to change their building switches and maybe some cables
20:37 🔗 BiggieJon very cool
20:37 🔗 BiggieJon a lot of countries are starting plans like that now, just not here, except in very few, specific locations
20:41 🔗 BiggieJon the impact on web hosting companies will be interesting
20:41 🔗 BiggieJon large ones will upgrade to 10G tot he server, smaller ones will either have crappy performance to places tht have gig fiber to the home, or just go out of business
20:43 🔗 DFJustin it's slowly starting to spread, hopefully these guys can make a go of it in canada http://www.cbc.ca/news/technology/ultrafast-internet-service-launched-by-vancouver-startup-1.1382430
20:47 🔗 BiggieJon i'm all for anyone who wants to try
20:48 🔗 deathy this ISP of mine just did a big (completely everywhere on their customer network) IPv6 roll-out, everything dual-stack IPv4 and IPv6
20:48 🔗 deathy (that was last year)
20:48 🔗 deathy IPv6 is something I'm scared of a bit
20:49 🔗 DFJustin still waiting on that too
20:49 🔗 BiggieJon not a lot of support on the other end is the problem
20:49 🔗 BiggieJon is your ISP doing 6 to4 NAT ?
20:50 🔗 deathy every connection is dual-stack. you get both IPv6 and IPv4. So I guess that isn't a problem
20:51 🔗 BiggieJon thats solves it
20:52 🔗 BiggieJon IPv4 exhaustion is becoming a serious problem
20:52 🔗 godane hey every one
20:52 🔗 godane i'm doing a google grab of i.walmart.com+filetype:pdf
20:53 🔗 godane it has a 5 second wait on it
20:56 🔗 godane it has tons of pdfs
20:56 🔗 godane like guides to video games by walmart
20:59 🔗 arkhive Omaha, Nebraska (boring place, no offense to residences of) is getting 1Gb/s through CenturyLink. Not sure if it is 1Gbit down AND up though.
21:00 🔗 BiggieJon likely not up, but still nice to see someone trying
21:01 🔗 BiggieJon I've heard nothing about the google fiber project here in austin
21:01 🔗 BiggieJon they havent even defined where it will be possible
21:03 🔗 arkhive Hopefully Boulder, CO will get gigabit internet when I move up there when I start University of Colorado Boulder next year. But doubtful... Colorado really only has CenturyLink and Comcast and CenturyLink is terrible and Comcast is ridiculous.
21:03 🔗 arkhive swebb: You live in Boulder, right? What ISP and speeds do you get?
21:39 🔗 godane i'm finding $10 rebates on 64mb flash disk
21:39 🔗 godane byt edge digital media
21:41 🔗 phillipsj Google fibre prohibits servers :P
21:41 🔗 arkhive Don't they allow home servers now though?
21:41 🔗 BiggieJon "prohibits"
21:41 🔗 phillipsj I am weird, I read fine-print.
21:41 🔗 arkhive http://arstechnica.com/information-technology/2013/10/google-fiber-now-explicitly-permits-home-servers/ I didn't read this article though
21:42 🔗 DFJustin every isp has a thing in the fine print about servers, usually they don't really police it unless you come to their attention for some other reason
21:44 🔗 phillipsj I shopped around for a ISP that allowed servers and sharing the connection.
21:44 🔗 phillipsj I figure my Bitcoin node may eventually get attention one way or another.
21:44 🔗 DFJustin for example I ran a personal website off a "no servers" home cable connection for years and never heard a peep
21:45 🔗 BiggieJon depends a lot on the traffic
22:03 🔗 godane so i'm going after greenamerica.org
22:06 🔗 joepie91 :)
22:06 🔗 joepie91 DFJustin: not all ISPs have 'no servers' in the TOS
22:07 🔗 joepie91 XS4ALL is a good example of an ISP that allows (allowed?) It
22:07 🔗 joepie91 it *
22:08 🔗 joepie91 (Dutch ISP)
22:08 🔗 DFJustin the major north american ones anyway
22:08 🔗 DFJustin over in socialist paradise it may be different :)
22:08 🔗 joepie91 >socialist paradise
22:08 🔗 BiggieJon ROFL
22:08 🔗 joepie91 I really do hope you're joking
22:08 🔗 joepie91 :|
22:09 🔗 BiggieJon functional healthcare, ISP's without restrictions, what next
22:09 🔗 joepie91 NL is neither socialist (other than theoretically) nor a paradise
22:09 🔗 DFJustin just talking from a us politics perspective :P
22:09 🔗 joepie91 DFJustin: even then
22:09 🔗 joepie91 then at least take Norway as an example
22:09 🔗 joepie91 NL basically has a clusterfuck right now - capitalist/liberal approach applied to a traditionally socialist society
22:09 🔗 DFJustin also joking as well
22:09 🔗 joepie91 it doesn't go well
22:11 🔗 BiggieJon someone let US republicans in ?
22:11 🔗 DFJustin a lot of euro countries seem to be electing (comparative) conservatives lately
22:13 🔗 phillipsj why are they called conservatives while bringing in radical right-wing policies?
22:13 🔗 BiggieJon good question
22:13 🔗 phillipsj They also somehow have a reputation for balancing the books (which they never do)
22:14 🔗 BiggieJon and reducing the size of government
22:16 🔗 BiggieJon the best we can hope for in the US is the tea part implodes before the next election and returns us to the regular right wing crazy
22:16 🔗 BiggieJon *tea party
22:16 🔗 phillipsj Third party just need 34% of the vote ;)
23:42 🔗 swebb archive: Comcast - about 15 Mbit down, 2-3 Mbit up with the entry-level business level config
23:43 🔗 balrog no fibre available?
23:44 🔗 balrog arkhive: ^^
23:44 🔗 BiggieJon i have 30mb down/2mb up for $60/month
23:46 🔗 BiggieJon they offer up to 100 down/5 up for $125/mo
23:46 🔗 BiggieJon but thats about the fastest available in the area
23:48 🔗 BiggieJon balrog: wait you have FIOS thats not fair
23:48 🔗 balrog yeah rockin' 50/25
23:49 🔗 BiggieJon I'm amazed I can get what I can wher eI live
23:49 🔗 BiggieJon i got cows in my back yard

irclogger-viewer