Posted
on January 8, 2009, 7:24 pm,
by justin,
under
RequestPolicy.
I’ve spent the last few days adding support for more browsers to RequestPolicy. As of RequestPolicy 0.4.3, the following are now supported:
- Firefox 3+
- SeaMonkey 2.0 (tested on 2.0a2)
- Flock 2.0
- Fennec 1.0 (tested on 1.0a2)
- Songbird 1.0
Fennec took a bit of fiddling because it’s not well documented yet. However, the code is available and that helped. Here are some screenshots of the fruits of my Fennec labor. A quick look shows that RequestPolicy is the 12th extension to add support for Fennec (RequestPolicy is the most popular experimental one).
I had never actually gotten around to trying Flock before, and that was interesting. I definitely see its value to a large number of social network-using and mucho media-viewing users.
Posted
on December 30, 2008, 8:45 pm,
by justin,
under
RequestPolicy.
The Firefox extension I’ve been working on the past few months is now ready for general usage.
As I describe it on the requestpolicy.com website:
RequestPolicy is a Firefox extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.
The lack of user control over cross-site requests is a fundamental area that has been overlooked in browser security. We have great extensions like NoScript to give us control over the execution of scripts and objects in our browser, but cross site requests are still a major privacy and security problem that has been neglected. RequestPolicy provides a strong and secure default policy (blocking cross-site requests) and lets you whitelist cross-site requests as needed. As with extensions such as NoScript, within a week of using the extension, you won’t need to do much whitelisting.
The current version is 0.3.4. You can download it from requestpolicy.com or you can get it from the Mozilla addons site (addons.mozilla.org, a.k.a. AMO). Read the rest of this entry »
One of the more common but still widely forgotten security issues I see is that of forgetting to validate SSL certificates. I’m not talking about accepting certificate mismatches while browsing a mailing list archive. I’m talking about developers programming https communication.
What all developers need to keep in mind are two things:
1) SSL does very little good unless you are talking to who you think you are talking to.
2) The communication library you are using may not be validating SSL certificates.
Regarding #1: Why does SSL do little good without certificate validation? It’s because having an encrypted conversation with a man-in-the-middle is a FAIL. In that case, all you’re protecting against is someone snooping on the wire between you and the attacker you are having the SSL conversation with. In the day of BGP attacks and DNS cache poisoning, which I’m lumping together in the “MITM” category for these purposes, the MITM isn’t necessarily only a powerful entity like a government. These aren’t just theoretical risks. Read the rest of this entry »
Advisory: AWBS magic_quotes_gpc “Off” SQL Injection and XSS Vulnerabilities
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]
Application: AWBS < 2.6.0
Severity: Highly Critical
Impact: Disclosure of sensitive information
Cross site scripting
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.
Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-magic_quotes_gpc-off-sql-injection-and-xss-vulnerabilities/
————————————————————————–
Description:
Advanced Webhost Billing System (AWBS) contains multiple SQL injection and XSS
vulnerabilities due to a lack of user input validation.
Read the rest of this entry »
Advisory: AWBS Dedicated Server Info Visible to All Users
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]
Application: AWBS < 2.6.0
Severity: Less Critical
Impact: Disclosure of sensitive information
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.
Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-dedicated-server-info-visible-to-all-users-vulnerability/
————————————————————————–
Description:
Advanced Webhost Billing System (AWBS) allows any user access to the details of
all dedicated servers sold through AWBS.
Read the rest of this entry »
#################################################################
Vulnerability discovered by: Justin Samuel (www.justinsamuel.com)
Discovery Date: 2006-07-11
Severity: Less Critical
Impact: Exposure of sensitive information
Product: ModernBill
Affected Versions: 5.0.1
Vendor: ModernGigabyte, LLC (www.moderngigabyte.com)
Product Link: http://www.modernbill.com/
#################################################################
Read the rest of this entry »
Posted
on May 25, 2006, 8:45 pm,
by justin,
under
PHP,
RPMs.
php 5.1.4 rpms for rhel 4 have been added to the rpm downloads section. These are based off of the current fedora core 5 rpms with the following changes:
* shared hosting security: removed posix functions [shared hosting security]
* removed pcntl functions [shared hosting security]
* added dummy domxml package [compatibility with other packages that depend on it, such as certain plesk 8 packages]
This build does have cgi compiled with fastcgi support.
Additionally, there is a corresponding php-apc 3.1.0 rpm available in the downloads section for this build of php. Read the rest of this entry »
i’ve added scponly rpms with chroot enabled for rhel4. get the files here or by apt/yum. this is more useful in a shared hosting environment than the rpms found at DAG and elsewhere that don’t have chroot enabled.
to use this, for example on a plesk box to allow domains to use sftp without having to give them a chroot’ed bash shell, do the following: Read the rest of this entry »
Posted
on March 15, 2006, 1:11 am,
by justin,
under
PHP,
RPMs.
I’ve added php-apc rpms for php 5.1.2 on rhel4, using the current stable release of APC (3.0.10). get the files here or by apt/yum. Additional notes: Read the rest of this entry »
Posted
on March 11, 2006, 11:35 pm,
by justin,
under
HOWTOs,
Linux.
The following commands are all you need to create a self-signed (wildcard, if you want) SSL certificate: Read the rest of this entry »