Application Security Weekly for May 6

Good intro to fingerprinting web servers.  This has been codified in the past but the tools are all old.  Need to resurrect an open source project.

https://isc.sans.edu/forums/diary/Another+approach+to+webapplication+fingerprinting/23605/

 

I mentioned CVE-2018-2628 and my Nikto test for it in an earlier newsletter.  Well, apparently the patch doesn't work.  

https://securityaffairs.co/wordpress/71951/hacking/oracle-botches-cve-2018-2628-patch.html

 

Nice video of finding and exploiting another hole in the PDF format.  Apparently they are so common now we just livestream them.

https://www.youtube.com/watch?v=8VLNPIIgKbQ

 

I am fond of saying that the government can outlaw as much encryption as they want, if the bad guys have two coins and a pencil, they can make as much unbreakable encryption as they want with a one-time pad. (Not my line and I don't remember the source sorry)  Here is another nice new pencil and paper cipher.

https://www.schneier.com/blog/archives/2018/05/lc4_another_pen.html

 

Finally.  PHP has a security flaw.  WHAT YEAR IS IT??

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-046/

 

And that's the news.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList