-
For vulnerabilities in programs there is only one place worth looking
Security focus's vulnerability database
have a look here for the programs you are using. As it feeds from the bugtraq mailing list it is about as uptodate as you are going to get.
As for update etc you should always get them, mainly when you find a vulnerability in a program you tell the vendor, when they have fixed it and made a patch then you post to bugtraq (it doesn't always happen like that but most times). So the patch solves the problem before the rest of the world and every script kiddie finds out
SittingDuck
-
For vulnerabilities in programs there is only one place worth looking
Security focus's vulnerability database
have a look here for the programs you are using. As it feeds from the bugtraq mailing list it is about as uptodate as you are going to get.
As for update etc you should always get them, mainly when you find a vulnerability in a program you tell the vendor, when they have fixed it and made a patch then you post to bugtraq (it doesn't always happen like that but most times). So the patch solves the problem before the rest of the world and every script kiddie finds out
SittingDuck
-
Thank you SittingDuck for all of your help,
I used security focus a few times but will try to be a more frequent visitor :), I did not know that the information is gathered from bugtraq, infact I dont know much about bugtraq, I will have to research this weekend. I did a search for my sew server in security focus, there were exploits found for previous versions, but the latest version has yet to be exploited. I am trying to exploit it myself,
The guestbook is now complete, I decided to scrap the javascript form validator since that can be bypassed, and set up a new validator with php. It checks for too many characters entered, the format of the dta such as valid names, emails and home sites, and strips any html, javascript and ssi from all fields. I have verified it is all working by purposly filling in invalid information into the fields. And am now confident that it cant be exploited, I also changed the file extension from php to a not obvious extension for the php mime type to make those script kiddies dance in their seats.
I downloaded N-Stealth 3.5 build 63 and scanned with the complete scan, 4 possible bugs were found, all of which I have verified are not exploitable on my server, mainly test.cgi which I made myself, it was not included with the server, guestbook.html I determined cant be exploited, and backup.shtml was found, since my server does not suport SSI, it cant be exploited. But I am very pleased with N-Stealth vulnerability scanner, I tryed a few others includeing one for CGI.
I would like to say thank you so much for all of your help and guidence in creating my guestbook and securing my server.
-
Thank you SittingDuck for all of your help,
I used security focus a few times but will try to be a more frequent visitor :), I did not know that the information is gathered from bugtraq, infact I dont know much about bugtraq, I will have to research this weekend. I did a search for my sew server in security focus, there were exploits found for previous versions, but the latest version has yet to be exploited. I am trying to exploit it myself,
The guestbook is now complete, I decided to scrap the javascript form validator since that can be bypassed, and set up a new validator with php. It checks for too many characters entered, the format of the dta such as valid names, emails and home sites, and strips any html, javascript and ssi from all fields. I have verified it is all working by purposly filling in invalid information into the fields. And am now confident that it cant be exploited, I also changed the file extension from php to a not obvious extension for the php mime type to make those script kiddies dance in their seats.
I downloaded N-Stealth 3.5 build 63 and scanned with the complete scan, 4 possible bugs were found, all of which I have verified are not exploitable on my server, mainly test.cgi which I made myself, it was not included with the server, guestbook.html I determined cant be exploited, and backup.shtml was found, since my server does not suport SSI, it cant be exploited. But I am very pleased with N-Stealth vulnerability scanner, I tryed a few others includeing one for CGI.
I would like to say thank you so much for all of your help and guidence in creating my guestbook and securing my server.
-
your welcome
I'm yet to use N-Stealth, is it does it do the same job as whisker? i.e. it look for default files with vulnerabilities in them.
I would be very interested to see what you have done, any chance you could PM me the URL.
SittingDuck
-
your welcome
I'm yet to use N-Stealth, is it does it do the same job as whisker? i.e. it look for default files with vulnerabilities in them.
I would be very interested to see what you have done, any chance you could PM me the URL.
SittingDuck
-
the URL is http://www.nstalker.com/ to download a trial version of N-Stealth, but you cant update the database without the full version as far as I understand. Figured I would post it here too incase anyone else was interested in trying N-Stealth.
