Posts

Showing posts from November, 2010

CSRF mitigation: 4images Gallery's comprehensive approach

Image
Once in awhile, in my quest to break (and promote fixing of) every web application I encounter, I have email discussions with some excellent people who reach out to me after the initial advisory during a coordinated disclosure.
Such was the case with Kai S. of Dots United GmbH, the team who develops the 4images Gallery.
Just a day or two after he'd been contacted by Secunia, whom I submit my vulnerability findings to for disclosure coordination, I heard directly from Kai. He asked me to provide more detail with regard to the finding indicating that 4images Gallery accepted "HTTP requests without performing any validity checks to verify the request", better known as cross-site request forgery (CSRF).
After replying with my proof of concept and some resource material, Kai replied that he would "forward this to our developers so we can release a fixed version".
On October 27 Dots United released a fix for all versions up to and including 1.7.8.
On November 10, the 4ima…

toolsmith: Confessor & Mole for IR & security analysis

As November 2010's toolsmith kicks off the fifth year of the column for the ISSA Journal, I am proud to use it as an opportunity to announce the official release of Bryan Casper's Confessor and Kris Thomas' MOLE.
I discussed these tools at ISSA International in September and again at SecureWorld Expo Seattle, and after a slight delay to clarify licensing (they're released under the Microsoft Public License (Ms-PL), both tools are available for you on CodePlex.
These tools were born of needing better utilities for incident response and security analysis in complex, massive cloud-like environments.
If you'd like a copy of the above-mentioned presentation, please contact me and I'll send it to you.

As described in the article, Bryan's Confessor answers the challenge of collecting system logs and attributes on hundreds or even thousands of systems at the same time, utilizing the same tools as MIR-ROR, but deploying them in an enterprise capable manner.
Note: Since…