Search found 147 matches

by Kellanved
Thu May 01, 2008 11:30 pm
Forum: [3.0/Olympus] Discussion
Topic: Assuring Security by testing
Replies: 4
Views: 3250

Re: Assuring Security by testing

Hi, we found automatic tools to be severely lacking. They were unable to find any valid vulnerability and produced many false positives, invalidating them completely. On top of that, they missed the vulnerabilities we actually knew to be present. Hence I do not believe that black box tools are of an...
by Kellanved
Wed Apr 23, 2008 10:42 pm
Forum: [3.0/Olympus] Discussion
Topic: phpbb 2.0 rand_seed function question to developers, please
Replies: 6
Views: 9870

Re: phpbb 2.0 rand_seed function question to developers, please

I will lock this. This is not the 2.0 dev board and any answer would depend on things like your php version etc. Rule of thumb: a static or time-based seed is a bad idea.
by Kellanved
Mon Mar 31, 2008 11:00 pm
Forum: [3.0/Olympus] Discussion
Topic: Found a possible XSS vulnerability
Replies: 2
Views: 5668

Re: Found a possible XSS vulnerability

The trick is not letting it escape the quotation. Considering the number of browsers and scripting languages, a solution filtering just colons wouldn't be feasible. It would also remove XHTML compliance and cause problems with urls, which are actually allowed to contain colons. Thank you for your co...
by Kellanved
Fri Mar 14, 2008 12:09 pm
Forum: [3.0/Olympus] Discussion
Topic: Idea: No 0's and O's in reset passwords
Replies: 6
Views: 8850

Re: Idea: No 0's and O's in reset passwords

That would be technically identical to the current approach: user gets new password, which allows changing the password in the UCP. Why add complicated workflows that are essentially to the status quo? As to it being complicated - cut&paste?
by Kellanved
Tue Mar 04, 2008 5:16 pm
Forum: [3.0/Olympus] Discussion
Topic: Abstraction .. Just a thought
Replies: 2
Views: 2999

Re: Abstraction .. Just a thought

Yes, that's on the agenda.
by Kellanved
Sun Mar 02, 2008 12:22 pm
Forum: [3.0/Olympus] Discussion
Topic: sid on style.php?? requested every new session.
Replies: 8
Views: 8014

Re: sid on style.php?? requested every new session.

I guess a trick like the one for avatars might work.
by Kellanved
Sun Feb 24, 2008 6:07 pm
Forum: [3.0/Olympus] Discussion
Topic: Extension system?
Replies: 6
Views: 5629

Re: Extension system?

phpBB has a Module system which allows the automatic installation of modules. These are limited to certain places, like the acp, mcp and the ucp; as well as search, authentication and caching. Then there is a hook system for external extensions. Moreover, the style system is in itself more powerful ...
by Kellanved
Fri Feb 22, 2008 1:45 pm
Forum: [3.0/Olympus] New features discussion
Topic: Quick Reply
Replies: 31
Views: 53438

Re: Quick Reply

It's a non issue. People wanting such behavior can easily add it. Moreover, myBB isn't free, just doesn't cost money (at the moment).
by Kellanved
Thu Feb 21, 2008 12:02 pm
Forum: [3.0/Olympus] Discussion
Topic: sid on style.php?? requested every new session.
Replies: 8
Views: 8014

Re: sid on style.php?? requested every new session.

Prosilver uses dynamic CSS.
by Kellanved
Sun Feb 03, 2008 11:20 pm
Forum: [3.0/Olympus] Discussion
Topic: unique_id function
Replies: 21
Views: 23364

Re: unique_id function

It's still just the time that goes in the function. An attacker using the same seed will get the same result. i don't know how an attacker can fake microtime(), but if we get that paranoid, how about adding some other values which change (though not strictly "random", still, in a difficul...