Jay Little - Software Obsessionist
Proxykiller Security Hole Alert
Post Icon

10/31/2001 21:11:37

After playing around with the new version of Proxykiller yesterday - I stumbled upon a MAJOR security hole within the program infrastructure that can be used to gain illict access to any webserver containing the proxykiller application.

This security hole affects ALL proxykiller versions. It allows a malicious attacker to upload a dangerous file containing executable code or ASP script and place it anywhere on the same drive as the IIS webroot. The fix for the hole is simple and I will release it later on today.

I've said it once and I'll say it again - no web application can and will be FULLY secure - ever. There will always be some exploitable point of entry that an attacker can find and use due to the complexity and openness of the architecture. Thats not to say that we shouldnt try to develop secure web apps - but that the only way to prevent breakins is through eternal viligance when it comes to code audits.

Just in case you are wondering - this security hole was discovered in the course of going through one of my normal audits. So the chances are slim that its been discovered by any outside entity :-)


[Top] [Rss] [Email]