<=====================================8<=====================================>
Posted By: semik (trvale neschopen) on 'Koudink'
Date: Thu 5.6.2003 13:31.51
Title: DVD prehravac pro Windoze
Ahoj,
potrebuju poradit, znama by chtela prehravat pod Win2k DVD a ten system sam o
sobe prehravac neobsahuje.
Na tucows je toho hafo a opravdu se mi nechce vsechny zkouset, potreboval
bych ji jeden doporucit.
Chtel bych aby se to poradne umelo menu, a dalo se to odovladat jako stolni
prehravac. Nemusi se to ale snazit vypadat jako stolni prehravac. Bylo by fajn
kdyz by ten software byl zadarmo. Pripadne aspon shareware aby se to dalo
vyzkouset pred koupenim.
Diky
Semik
<=====================================8<=====================================>
Posted By: Covex (mi'lius) on 'Koudink'
Date: Thu 5.6.2003 17:50.16
Title: Re: DVD prehravac pro Windoze
Bohuzel me zdroje okolo win jsou minimalni, sveho casu vim, ze byl oblibeny
mircoDVD player. Jak je to dnes netusim.
Covex
<=====================================8<=====================================>
Posted By: pharook (dee do de de) on 'Koudink'
Date: Thu 5.6.2003 20:06.00
Title: Re: DVD prehravac pro Windoze
Bohuzel me zdroje okolo win jsou minimalni, sveho casu vim, ze byl oblibeny
mircoDVD player. Jak je to dnes netusim.
Covex
Esli mas na mysli MicroDVD, tak ten neprehrava DVD. Prehrava jenom
MPG/AVI/MP3, a termin "Micro DVD" pouziva pro bundle videosouboru, titulku,
zvukovych souboru a INIsouboru, ktery mu rekne, co s tim vsim ma delat.
Krom toho koukam na stranky, ze stare verze stahnout nejdou, a nove budou
komercni.
____________________________________________________________________pharook_
"Mesic je dulezitejsi nez Slunce", reklo dite. "Protoze sviti, kdyz je tma."
<=====================================8<=====================================>
Posted By: CrazyJoe (mudansha) on 'Koudink'
Date: Thu 5.6.2003 22:37.14
Title: Re: DVD prehravac pro Windoze
Neviem ako ostatni, ja uz vyse roka na WinME k plnej spokojnosti pouzivam
WinDVD4 od InterVideo
(http://www.intervideo.com/jsp/Product_Profile.jsp?p=WinDVD4). A mozno sa budu
niektori divit, ale za kodek som zaplatil :-)
(Ale az budem mat cas a naladu, tak si konecne pod Linuchom rozbeham DeCSS,
aby som nemusel kvoli filmom rebootovat :-)
Crazy.
Gijutsu yooi shinjutsu.
Duch je dolezitejsi nez technika.
<=====================================8<=====================================>
Posted By: pharook (dee do de de) on 'Koudink'
Date: Mon 9.6.2003 1:46.17
Title: (|/_) And God saw there were 0 errors
In the beginning there was the computer. And God said
c:\>Let there be light!
Enter user id.
c:\>God
Enter password.
c:\>Omniscient
Password incorrect. Try again.
c:\>Omnipotent
Password incorrect. Try again.
c:\>Technocrat
And God logged on at 12:01:00 AM, Sunday, March 1.
c:\>Let there be light!
Unrecognizable command. Try again.
c:\>Create light
Done
c:\>Run heaven and earth
And God created Day and Night. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Sunday, March 1.
And God logged on at 12:01:00 AM, Monday, March 2.
c:\>Let there be firmament in the midst of water and light
Unrecognizable command. Try again.
c:\>Create firmament
Done.
c:\>Run firmament
And God divided the waters. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Monday, March 2.
And God logged on at 12:01:00 AM, Tuesday, March 3.
c:\>Let the waters under heaven be gathered together unto one place
and let the dry land appear and
Too many characters in specification string. Try again.
c:\>Create dry_land
Done.
c:\>Run firmament
And God divided the waters. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Tuesday, March 3.
And God logged on at 12:01:00 AM, Wednesday, March 4.
c:\>Create lights in the firmament to divide the day from the night
Unspecified type. Try again.
c:\>Create sun_moon_stars
Done
c:\>Run sun_moon_stars
And God divided the waters. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Wednesday, March 4.
And God logged on at 12:01:00 AM, Thursday, March 5.
c:\>Create fish
Done
c:\>Create fowl
Done
c:\>Run fish, fowl
And God created the great sea monsters and every living creature
that creepeth wherewith the waters swarmed after its kind and every
winged fowl after its kind. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Thursday, March 5.
And God logged on at 12:01:00 AM, Friday, March 6.
c:\>Create cattle
Done
c:\>Create creepy_things
Done
c:\>Now let us make man in our image
Unspecified type. Try again.
c:\>Create man
Done
c:\>Be fruitful and multiply and replenish the earth and subdue it and
have dominion over the fish of the sea and over the fowl of the air and
over every living thing that creepeth upon the earth
Too many command operands. Try again.
c:\>Run multiplication
Execution terminated. 6 errors.
c:\>Insert breath
Done
c:\>Run multiplication
Execution terminated. 5 errors.
c:\>Move man to Garden of Eden
File Garden of Eden does not exist.
c:\>Create Garden.edn
Done
c:\>Move man to Garden.edn
Done
c:\>Run multiplication
Execution terminated. 4 errors.
c:\>Copy woman from man
Done
c:\>Run multiplication
Execution terminated. 2 errors.
c:\>Create desire
Done
c:\>Run multiplication
And God saw man and woman being fruitful and multiplying in Garden.edn
Warning: No time limit on this run. 1 errors.
c:\>Create freewill
Done
c:\>Run freewill
And God saw man and woman being fruitful and multiplying in Garden.edn
Warning: No time limit on this run. 1 errors.
c:\>Undo desire
Desire cannot be undone once freewill is created.
c:\>Destroy freewill
Freewill is an inaccessible file and cannot be destroyed.
Enter replacement, cancel, or ask for help.
c:\>Help
Desire cannot be undone once freewill is created.
Freewill is an inaccessible file and cannot be destroyed.
Enter replacement, cancel, or ask for help.
c:\>Create tree_of_knowledge
And God saw man and woman being fruitful and multiplying in
Garden.edn
Warning: No time limit on this run. 1 errors.
c:\>Create good, evil
Done
c:\>Activate evil
And God saw he had created shame.
Warning system error in sector E95. Man and woman not in Garden.edn. 1
errors.
c:\>Scan Garden.edn for man, woman
Search failed.
c:\>Delete shame
Shame cannot be deleted once evil has been activated.
c:\>Destroy freewill
Freewill is an inaccessible file and cannot be destroyed.
Enter replacement, cancel, or ask for help.
c:\>Stop
Unrecognizable command. Try again
c:\>Break
c:\>Break
c:\>Break
ATTENTION ALL USERS *** ATTENTION ALL USERS: COMPUTER GOING DOWN FOR
REGULAR DAY OF MAINTENANCE AND REST IN FIVE MINUTES. PLEASE LOG OFF.
c:\>Create new world
You have exceeded your allocated file space. You must destroy old files
before new ones can be created.
c:\>Destroy earth
Destroy earth: Please confirm.
c:\>Destroy earth confirmed
COMPUTER DOWN *** COMPUTER DOWN. SERVICES WILL RESUME SUNDAY, MARCH 8 AT
6:00 AM. YOU MUST SIGN OFF NOW.
And God logged off at 11:59:59 PM, Friday, March 6.
____________________________________________________________________pharook_
"Mesic je dulezitejsi nez Slunce", reklo dite. "Protoze sviti, kdyz je tma."
<=====================================8<=====================================>
Posted By: JiMo (... easy writer ...) on 'Koudink'
Date: Mon 9.6.2003 9:25.20
Title: Re: (|/_) And God saw there were 0 errors
c:\>Create firmament
Done.
c:\>Run firmament
And God divided the waters. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Monday, March 2.
And God logged on at 12:01:00 AM, Tuesday, March 3.
c:\>Let the waters under heaven be gathered together unto one place
and let the dry land appear and
Too many characters in specification string. Try again.
c:\>Create dry_land
Done.
c:\>Run firmament
And God divided the waters. And God saw there were 0 errors.
And God logged off at 12:02:00 AM, Tuesday, March 3.
And JiMo logged on at 8:24:00 AM, Monday, June 9.
And JiMo saw there was 1 error.
____________________________________________________________________pharook_
"Mesic je dulezitejsi nez Slunce", reklo dite. "Protoze sviti, kdyz je tma."
...ale jinak je to fakt... BOZ~I' :))))
JiMo:)
Definujte vesmir a reknete mi tri priklady.
<=====================================8<=====================================>
Posted By: JiMo (... easy writer ...) on 'Koudink'
Date: Sat 21.6.2003 3:35.38
Title: Overburn
Ahojte,
jake mate zkusenosti s preslehnutim kvoty na /dev/cdrom? ;)
Ja jsem si vzdycky myslel, ze se na CD o moc vic nevejde, zatim jsem se
odvazil vzdycky max. o dve mega, ted jsem mel proste fajl vetsi asi o 11Mb
a vesel se, dokonce jsem ho pak porovnaval s originalem a opravdu tam je,
cely, jak ma byt.
Takze jsem se chtel zeptat, jestli mate treba nejaky osobni rekord a pak taky,
jake jsou zkusenosti se ctenim jinde. Pochybuju, ze by se mohla poskodit
vypalovacka, jak vsude varuji, protoze pokud to umoznuje, snad je na to i
stavena. No, i kdyz... :)
Takze - co vy a overburn?
JiMo:)
Nedostanu-li urychlene dotaci na novou mriz,
budu nucen preriznout starou.
<=====================================8<=====================================>
Posted By: pharook (dee do de de) on 'Koudink'
Date: Sat 21.6.2003 15:12.25
Title: OSI Position Paper on the SCO-vs.-IBM Complaint
Muzete me kamenovat, ze to taham i sem :), ale leckde se objevuji ruzne
komentare, od zasvecenych po kristalokoulove, a tohle by mohlo trochu
zapadnout...
Open Source Initiative v cele s Ericem S. Raymondem a na zaklade
reakci ("patchu" :) ) mnoha dalsich prispevatelu sepsali rozsahlou reakci na
zalobu SCO versus IBM. Kdo zna ESR, mohl by cekat pomerne zaujatou filipiku,
ale mira zaujatosti je dle meho nazoru proti poctu konstruktivnich a strizlive
zhodnocenych argumentu (vcetne mnoha odkazu na skutecne dokumenty a diskuse)
velmi nizka.
http://www.opensource.org/sco-vs-ibm.html
____________________________________________________________________pharook_
"Mesic je dulezitejsi nez Slunce", reklo dite. "Protoze sviti, kdyz je tma."
<=====================================8<=====================================>
Posted By: semik (trvale neschopen) on 'Koudink'
Date: Sat 21.6.2003 21:22.10
Title: ISDN a cause E001B
Hezky vecer preji,
uz treti vecer bojuji s ISDN na Linuxu a zatim neprilis uspesne, jedinym
mym uspechem byl insertnuti modulu do kernelu po urpotnem boji o IRQ.
Mam euroISDN2plus (adapter NT1+2a/b), ISDN karta v pocitaci je
TELES.S0/16.3c PNP. Pomoci isapnp byla nakonfigurovana takto:
| (CONFIGURE TAG2620/393938879 (LD 0
| (IO 0 (SIZE 2) (BASE 0x0100) (CHECK))
| (INT 0 (IRQ 3 (MODE +E)))
| (NAME "TAG2620/393938879[0]{TELES.S0/16.3c Plug&Play}")
| (ACT Y)
| ))
po vlozeni modulu HiSax
| modprobe hisax type=14 irq=3 io=0x100
kernel prohlasi
| Jun 21 20:28:49 defiant kernel: HiSax: Version 3.5 (module)
| Jun 21 20:28:49 defiant kernel: HiSax: Layer1 Revision 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: Layer2 Revision 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: TeiMgr Revision 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: Layer3 Revision 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: LinkLayer Revision 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: Warning - no protocol specified
| Jun 21 20:28:49 defiant kernel: HiSax: using protocol EURO
| Jun 21 20:28:49 defiant kernel: HiSax: Total 1 card defined
| Jun 21 20:28:49 defiant kernel: HiSax: Card 1 Protocol EDSS1 Id=HiSax (0)
| Jun 21 20:28:49 defiant kernel: HiSax: HFC-S driver Rev. 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HFCS: defined at 0x100 IRQ 3 HZ 100
| Jun 21 20:28:49 defiant kernel: HFCS: resetting card
| Jun 21 20:28:49 defiant kernel: Teles 16.3c: IRQ 3 count 0
| Jun 21 20:28:49 defiant kernel: Teles 16.3c: IRQ 3 count 1
| Jun 21 20:28:49 defiant kernel: HiSax: DSS1 Rev. 1.1.4.1
| Jun 21 20:28:49 defiant kernel: HiSax: 2 channels added
| Jun 21 20:28:49 defiant kernel: HiSax: MAX_WAITING_CALLS added
A timhle konci uspechy ... Zkousim se spojovat pomoci minicom-u
komunikujicim pres /dev/ttyI0:
| ATZ
| OK
| AT&E312661xxx
| OK
| ATD602346xxx
| BUSY
| ATI2
| Linux ISDN
| Statistics of last connection:
|
| Remote Number: 602346745
| Direction: outgoing
| Layer-2 Protocol: X.75i
| Service: 0
| Hangup location: local
| Last cause: E001B
|
| OK
Kernel moje snazeni ocenuje hlaskou:
| Jun 21 20:29:27 defiant kernel: isdn: HiSax,ch0 cause: E001B
Debug hlasky z /dev/isdnctrl vypadaji takto:
| 23:31.29 LOCK modcnt 2
| 23:31.29 debugging flags card 1 set to ffff
| 23:31.29 UNLOCK modcnt 1
| 23:35.66 LOCK modcnt 2
| 24:30.38 Ch0 LL->HL SETL2 card 1 0
| 24:30.38 Ch0 LL->HL SETL3 card 1 0
| 24:30.38 Ch0 LL->HL DIAL 312661xxx -> 602346xxx (7,0)
| 24:30.38 Ch0 callc State ST_NULL Event EV_DIAL
| 24:30.38 Ch0 callc ChangeState ST_OUT_DIAL
| 24:30.38 L3DC State ST_L3_LC_REL Event EV_ESTABLISH_REQ
| 24:30.38 L3DC ChangeState ST_L3_LC_ESTAB_WAIT
| 24:30.38 Card1 PH_ACTIVATE_REQ ST_L1_F3
| 24:30.38 Card1 State ST_L1_F3 Event EV_PH_ACTIVATE
| 24:30.38 Card1 State ST_L1_F3 Event EV_POWER_UP
| 24:30.38 Card1 ChangeState ST_L1_F4
| 24:34.38 L3DC State ST_L3_LC_ESTAB_WAIT Event EV_ESTABLISH_REQ noroutine
| 24:37.38 Card1 State ST_L1_F4 Event EV_TIMER3
| 24:37.38 DCh Q.921 State ST_L2_1 Event EV_L1_DEACTIVATE
| 24:37.38 L3DC State ST_L3_LC_ESTAB_WAIT Event EV_RELEASE_IND
| 24:37.38 L3DC ChangeState ST_L3_LC_REL
| 24:37.38 Ch0 callc State ST_OUT_DIAL Event EV_RELEASE
| 24:37.38 Ch0 HL->LL STAT_DHUP
| 24:37.38 Ch0 callc ChangeState ST_NULL
| 24:37.38 L3DC State ST_L3_LC_REL Event EV_RELEASE_REQ no routine
| 24:37.38 Card1 ChangeState ST_L1_F3
Ona cause znamena:
| semik@defiant:~$ isdncause E001B
| Location: Message generated by user.
| Cause: Destination out of order.
| This code usually indicates a hardware conflict or a cable problem.
Nevim co by mel znamenat onen hw cnfl. nepodarilo se mi najit dalsi
informace. Kabel je ctyrzilovy, vsechny vedou. Zkousel jsem ho v obou
portech toho adapteru s tim samym vysledkem. Nemam k dispozici zadny ISDN
telefon abych mohl vyzkouset ten kabel a ty porty ... ale snad jsou v
poradku.
Uvizl jsem na mrtvem bode a nevim jak dal pokracovat, takze bych ocelnil
nejake napady ... zkusenosti atp. Pokusim se sehnat si ISDN telefon abych
mohl vyzkouset jestli neni problem v tom ISDN adapteru, ale vzhledem k
tomu, ze analogove porty funguji, tak nejspis zjistim ze ty digitalni
fuguji take spravne.
Jeste ze mam ty analogove porty :(
Diky za kazdy tip
Semik
<=====================================8<=====================================>
Posted By: Libb (Libb) on 'Koudink'
Date: Mon 23.6.2003 7:45.53
Title: Re: Overburn
No muj rekord je 90 minut (na 90 minutove CD, ale to je taky overburning :-))
Ahojte,
jake mate zkusenosti s preslehnutim kvoty na /dev/cdrom? ;)
Ja jsem si vzdycky myslel, ze se na CD o moc vic nevejde, zatim jsem se
odvazil vzdycky max. o dve mega, ted jsem mel proste fajl vetsi asi o 11Mb
a vesel se, dokonce jsem ho pak porovnaval s originalem a opravdu tam je,
cely, jak ma byt.
jenze jak vis, ktery soubor se umistil na fyzicky konec toho media?
Takze jsem se chtel zeptat, jestli mate treba nejaky osobni rekord a pak
taky,
jake jsou zkusenosti se ctenim jinde. Pochybuju, ze by se mohla poskodit
vypalovacka, jak vsude varuji, protoze pokud to umoznuje, snad je na to i
stavena. No, i kdyz... :)
mohla, protoze se muze stat, ze laser s plnym vykonem prejede konec CD a vpali
ti to dovnitr mechaniky a neco by to mohlo sejmout. Ale pisou to spis jako
prevenci pred zalobami...
Takze - co vy a overburn?
JiMo:)
Nedostanu-li urychlene dotaci na novou mriz,
budu nucen preriznout starou.
Libb
<=====================================8<=====================================>
Posted By: pharook (dee do de de) on 'Koudink'
Date: Mon 23.6.2003 15:00.06
Title: Kontrolujme, kontrolujme, validujme, auditujme...
Je zajimave si uvedomit, s cim vsim se programator musi potykat. :)
-ph-
From: Steven M. Christey <coley@linus.mitre.org>
To: secprog@securityfocus.com
Subject: A "straw man" vulnerability auditing checklist
Date: Wed, 4 Dec 2002 19:47:51 -0500 (EST)
Dana Epp asked:
Would anyone like to share the sort of materials that resulted from
education in their workplace? Anyone interested in sharing generic
security tests they may have developed? Guidelines for code audits and
reviews (past Fagan-style type inspection)?
Most of my past code audits have been impromptu or accidental, or
focused on specific issues. However, I recently started some auditing
that required a more comprehensive approach. I created a checklist of
various vulnerability types, partially as a tie-in to my other work.
The checklist helped me, but it also quickly became daunting with all
the different problems I had to track!
Since I have not seen any explicit checklists such as this, I figured
I'd toss it out and let the moderator decide if it's useful or not ;-)
This list is quite incomplete, as reflected in the version number and
disclaimer. I am well aware that this is not academic-caliber,
validated, peer-reviewed, reference-checking work; it's a small side
project that is somewhat outside the scope of my daily work. But
hopefully some people will find it informative.
- Steve
================================================================
Vulnerability Auditing Checklist
================================================================
Version: 0.0000001
Disclaimer: This is a DRAFT document. The list of categories is
incomplete. In addition, some categories overlap, and some terms are
wholly invented or ill-defined. It has not been compared with other
sources. This document is being publicly posted to facilitate
discussion of code review/testing procedures.
General Unexpected or Malformed Input Problems
----------------------------------------------
1. Buffer Overflows
1a. Boundary end violation ("classic overflow")
1b. Boundary beginning violation
1c. Array index modification
1d. Length parameter manipulation
1e. Off-by-one
1f. Other length calculation error
2. Format strings
3. Syntax/grammar violation
3a. "Empty" or blank input
3b. Missing argument
3c. Extra argument
3d. Repeated argument
3e. Missing/repeated/extra separator or delimiter
3f. Wrong data type
3g. Incomplete input
3h. Missing/misplaced special characters (delimiters/etc.)
3i. Unknown/unrecognizable argument/command/whatever
4. Special character mismanagement
4a. Shell metacharacters
4b. Delimiter between fields
4c. Delimiter between values
4d. Delimiter between records
4e. CRLF attacks (line delimiter)
4f. Section delimiter (e.g. CRLF between MIME headers and content)
4g. End-of-input delimiter (e.g. "." in mail message data)
4h. Input terminator
4i. Quoting character
4j. Escape/meta/control character
4k. General separator char
4l. Comment char
4m. Macro symbol or other char for substitution
4n. Variable name leader/terminator (e.g. "$" for env. variable)
4o. Wildcard or "completion" character
5. Dependent Field/Value Inconsistency (e.g.: a "length" field for a
buffer does not reflect the actual length of the buffer; or, two
fields have values that do not make sense when combined)
6. Null dereference
File/Directory Processing
-------------------------
7. Directory traversal
7a. ../filename
7b. /../filename
7c. /absolute/pathname/here
7d. /directory/../filename
7e. directory/../../filename
7f. ..\filename
7g. \..\filename
7h. \absolute\pathname\here
7i. \directory\..\filename
7j. directory\..\..\filename
7k. C:driveletter
7l. ...
7m. ....
7n. \\UNC\share\name\here
8. Link Following
8a. UNIX symbolic link following
8b. UNIX hard link
8c. Windows .LNK
8d. Windows hard link
9. Windows 8.3 filenames
10. "Virtual" files
10a. Windows MS-DOS device names
10b. Windows ::DATA alternate data stream
10c. Apple ".DS_Store"
Process/Command Execution
-------------------------
11. Shell metacharacters
12. Malicious search path execution (search path can be modified by
untrusted user to point to malicious program, e.g. UNIX PATH
environment variable)
13. Program/command argument modification
Canonicalization Errors
-----------------------
14. Encodings
14a. URL encoding
14b. Unicode
15. Multiple separators or other characters
16. Case sensitivity
17. Validate-Before-Canonicalize (a program "validates" data before it
is canonicalized)
18. Validate-Before-Cleanse (program "validates" data before it has
been cleansed)
Leaks
-----
19. Information Leak
19a. Sensitive memory not cleared after use
19b. Sensitive memory not cleared due to compiler removal
19c. Command-line arguments visible to other processes
19d. Environment variables visible to other processes
19e. State information leak due to inconsistent results (e.g. user
name enumeration: valid username/wrong pass generates
"incorrect password," but invalid username generates "incorrect
user")
19f. State information leak due to timing differences (e.g. a
"successful" operation takes more time than an unsuccessful
one)
19g. Incomplete removal of temporary resources (e.g. files)
19h. Application-controlled diagnostic or error messages
19i. Uncontrolled, external diagnostic or error messages (e.g. the
programming language leaks information on an error that happens
in the application)
19j. Design-intended or configuration-intended leak (information is
intended for publication, but sensitive)
20. Resource leaks
20a. UNIX file descriptor leak
Multiple Operation/Action Errors
--------------------------------
21. Duplicate operation
21a. Double-free
21b. Double-encoding / double-decoding
22. Improper handler deployment (dispatch error)
23. Inability to handle out-of-order actions (state machine
violations)
24. Race Condition (non-file link)
24a. Signal handler race condition
24b. Other TOCTOU
25. Deadlock
Configuration Errors
--------------------
26. Permissions, ACLs, and ownership
26a. Bad default or inherited permissions (read, write, execute)
26b. Bad program-assigned permissions (read, write, execute)
26c. Ownership of critical resource not verified
27. Default configuration enables insecure feature
27a. Default password
27b. Default, non-essential service or component
27c. Network-based admin capability accessible to arbitrary hosts
Error Condition Identification/Management Errors
------------------------------------------------
28. Handler dispatch error
28a. Improper handler deployment (the wrong "handler" is assigned
to process an input, e.g. calling a servlet to reveal source
code of a .JSP file, or automatically "determines" type even
if contradictory to an explicitly specified type)
28b. Missing handler (handler not available or implemented)
28c. Dangerous handler not cleared/disabled during sensitive
operations
29. Insufficient logging of security-critical events
30. Incomplete error detection (product does not properly detect or
check for security-critical error conditions)
GUI Errors
----------
31. Insufficient user warning of "unsafe" actions
32. Interface inconsistency (the user interface, API, or GUI behaves
inconsistently with what operations are actually performed on the
system, e.g. checking a security option does nothing, or user
tells interface "restrict ALL" and it says "restrict SOME")
Product Management Errors
-------------------------
33. Design limitations
33a. Incomplete specification
33b. Vague specification
33c. Support (or lack of support) for security-relevant options
34. Distribution Error
34a. Debugging code not omitted from production version
35. Patch Error
35a. Regression error - introduces old vulnerability
35b. Incomplete vulnerability fix
36. Documentation Error
36a. Omission of security-critical information
36b. Error/typo causes user to introduce a vulnerability or risk
37. Developer-introduced back door / Trojan Horse
38. Port Error
A product is ported to a different environment (e.g. OS) and does
not consider differences with the original environment - sometimes
introducing vulnerabilities specific to the new environment
39. Interaction Error
Two independent products work correctly and according to
specification, but interact in ways that cause problems.
Technology-Specific Problems
----------------------------
This is probably missing a number of issues in web technologies.
40. Cross-site scripting (XSS)
41. Form field / parameter tampering
42. SQL injection
43. PHP-specific issues (PHP has "special" features without
equivalents in other languages)
43a. PHP remote file inclusion/execution
43b. PHP untrusted external initialization of critical variables
44. Perl null character injection (technically an interaction
vulnerability, but important to mention specifically)
Other Errors
------------
45. Initialization Error
45a. Insecure default initialization (e.g. variables or
permissions)
45b. Untrusted/externally controlled initialization of trusted
variables or values
45c. Non-exit on failed initialization affecting security-critical
resource (e.g. configuration file format error)
46. Resource exhaustion (memory, application-specific objects, general
objects)
46a. Memory leak
46b. Other incomplete resource release (resource is not "released"
for re-use or deletion, often as a result of an unusual
error)
46c. Asymmetric resource consumption ("untrusted" process can make
"trusted process" consume more resources than it really needs
to)
47. Numeric conversion errors
47a. Integer Signedness Error
47b. Integer overflow / underflow (value "resets" to maximum or
minimum, often through incrementing values)
48. Authentication Error
49. Unnecesarily large privilege window (app runs at higher privileges
longer than it "has to")
50. Capability operating at higher privilege than necessary without
authentication
51. Infinite loop
52. Incomplete/missing security check for standardized
algorithm/technique [e.g. the "Basic Constraints" browser cert
issues]
53. Cryptographic error
53a. Stores sensitive data in plaintext (passwords, credit cards,
etc.)
53b. Does not use peer-reviewed cryptographic algorithms
53c. Does not perform all required cryptographic steps
54. Insufficient Randomness
54a. Predictable system state (time, process ID, etc.)
54b. Insufficiently large space of random values
54c. Use of "known weak" randomness algorithms
55. Miscellaneous remote code injection (inputs are fed directly into
an interpreted language which is dynamically evaluated; other
"classes" such as SQL injection are covered elsewhere)
<=====================================8<=====================================>
Posted By: pharook (dee do de de) on 'Koudink'
Date: Fri 27.6.2003 11:34.04
Title: Prekodovani jmen souboru
Ahoj,
mohlo by se hodit nekterym cerstve UTF-8 pozitivnim, pripadne (po uprave
parametru iconv) lidem, kteri prenaseji cesky pojmenovane soubory z woken na
unix a zpatky. U me to byl ten prvni pripad, na ext2ce jsem mel spoustu veci,
pojmenovanych v 8859-2.
Pro jistotu si poradi si i se jmeny souboru, ktere obsahuji podivuhodne
znaky, jako treba Enter.
Pokud v tom vidite nejaky problem, komentare vitany. :)
Po spusteni jen zobrazi, co bude delat a pro ktere soubory, snazivej bude
teprve s parametrem 'really'. Dela to pouze na aktualni adresar, ne
podadresare, na to nemam dostatecne otrlou povahu. :)
#!/bin/sh
find . -mindepth 1 -maxdepth 1 -print0 |\
while read -ed $'\000' LN; do
NEW=`echo "$LN" | iconv -f ISO-8859-2 -t UTF-8`
if [ "$LN" != "$NEW" ]; then
echo "$LN" "->" "$NEW"
[ "$1" = "really" ] && mv "$LN" "$NEW"
fi
done
____________________________________________________________________pharook_
"Mesic je dulezitejsi nez Slunce", reklo dite. "Protoze sviti, kdyz je tma."
<=====================================8<=====================================>
Posted By: Covex (mi'lius) on 'Koudink'
Date: Mon 30.6.2003 10:43.45
Title: Re: Prekodovani jmen souboru
Ahoj,
mohlo by se hodit nekterym cerstve UTF-8 pozitivnim, pripadne (po uprave
parametru iconv) lidem, kteri prenaseji cesky pojmenovane soubory z woken na
unix a zpatky. U me to byl ten prvni pripad, na ext2ce jsem mel spoustu
veci,
pojmenovanych v 8859-2.
Jen dodam ze jsem nedavno objevil ameriku:
nastaveni spravne cestiny pri mountovani vfat
/dev/hda2 /mnt/C vfat
users,rw,auto,umask=07,showexec,codepage=852,iocharset=iso8859-2
(nebo utf8) 0 0
Tim je vystarano co se woknoidnich partiton tyce.
Covex
|
