FW: [PHP] Re: Please hack my app

Hi,

My name is Jordan Forssman, I am representing a company called Armorize
Technologies. We have developed a source code analysis platform for PHP,
called CodeSecure, which scans source code for SQL injection, cross site
scripting, command injection, etc, vulnerability. The tool will tell you
exactly which line the vulnerability is on, explain the propagation of
the tainted variables, and assist you in fixing the bug. I believe this
tool will help you verify the security of your application and will be
able to do so very quickly. At the moment we are scanning around 20 000
lines in under 5 minutes, or 1M in about 2 minutes, depending on the
application.

Currently we are accepting applications for trial accounts, if you would
like to use our tool to scan your code please log on to
http://www.armorize.com/events/trialapplication and submit the form.
We are just starting our sales and marketing effort so I hope you can
use our product and give us some feedback.

If you want to know more about our company and product you can find us
at: www.armorize.com , download our datasheets and whitepapers at
www.armorize.com/resources/download .

The trial is free and can be accessed over the Web, we are using the
trials as a test case for offering the product as a service and also to
promote the product. Once I receive your application I will send you an
e-mail with a quickstart guide and login details.

If you have any questions, please feel free to contact me anytime.

Best Regards,

Jordan Forssman
Sales Manager
Armorize Technologies
Tel. +886-2-6616-0100 ext. 201
Cell. +886-938-100-214
Fax. +886-2-6616-1100
Skype: jordan4z
jordan@xxxxxxxxxxxx
jordan4z@xxxxxxxxxxx


-----Original Message-----
From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx]
Sent: Monday, November 27, 2006 6:01 PM
To: php-general@xxxxxxxxxxxxx
Subject: [PHP] Re: Please hack my app

On Wed, 22 Nov 2006 09:57:50 +0100, Ivo F.A.C. Fokkema wrote:

Hi List,

As this subject may start you wondering what the hell I'm thinking,
let me
clearify:

I've been rewriting an GPL'ed PHP/MySQL app from scratch for the last
12
months or so. It facilitates storage of DNA mutations and the
corresponding patient data. Because patient data is involved, privacy
is
very important.
Now of course I read lots of pages on SQL injection and whatnot, and I
strongly believe my application is protected from this kind of abuse.
However, believing is not enough. I've had some comments in the past
about
security (previous version of the software) and although I didn't
agree to
the critic, I want to be able to say the new app went though various
forms
of attacks. This month, I want to release 2.0-alpha-01...

*** THIS IS NOT ABOUT HACKING THE SERVER ***
But about getting in the application when you're not allowed to!

If you feel like helping me out, it's located at
http://chromium.liacs.nl/LOVDv.2.0-dev/

1) Please try to get in. There's one account in the system, a database
administrator, capable of doing anything. If you get in, you can
easily
create a new user using the setup tab. This will be the prove of you
breaking my security rules.

2) Can you manage to view unpublic data? Using the Variants tab, you
can see there is currently one entry in the database (with two
mutations).
This entry has a hidden column, called 'Patient ID'. There is a
text-string in that column. If you can tell me what that string is,
you
win :)

3) Feel free to register as a submitter to see if that gives you any
rights that you shouldn't have. A submitter is only capable of adding
new
data to the database (Submit tab), but that data will not be published
immediately.

4) After a while, I will release login details of a curator account.
This
user is allowed to see non-public data and handle the specific gene,
but
NOT create new users or the like.


If you have any questions, please ask. Thank you in advance for using
your
expertise for the good cause :)

In case anyone is interested; I've created a low-level user
('untrusted')
in the system. Password is equal to username. Feel free to try and do
stuff you're not supposed to, like creating a new user or creating a
gene.

Ivo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
.

Quantcast