savannah-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] account at savannah.gnu.org and auditing the savannah


From: Lorenzo Hernandez Garcia-Hierro
Subject: [Savannah-hackers] account at savannah.gnu.org and auditing the savannah code
Date: Sun, 28 Mar 2004 01:21:30 +0100

Hi,
Finally i get working my account in savannah.gnu.org .
Other important thing:
I am auditing the source code of savannah ( i got it by CVS and it is so
much buggy
 ) and i discovered a big couple of vulnerabilities result of incorrect
variable handling
that can conduct for example in remote command execution
( using virtual shell provided by php commands and using the web server user
rights ).
I am preparing an audit paper ( currently i have wrote a lot but it is not
finished ).
I am sending this message to savannah hackers too.
If help is needed ( in savannah ) i can work out with it , patching and
recoding some parts.
I think we must recode savannah in order to stop using global/super global
variables.

Best regards.
PS: in advance , i like so much the use of m_srand in the password salt }:-)
--------------------------------------
Lorenzo Hernandez Garcia-Hierro
<-><->-<-><-><-><-><-><-><-><->
PGP: Keyfingerprint:
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
http://www.tuxedo-es.org
______________________________________







reply via email to

[Prev in Thread] Current Thread [Next in Thread]