Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Patrick Webster (patrickaushack.com)
Date: Thu May 02 2013 - 02:54:40 CDT
Reminded me of a bug I found in an EAL4 certified military encryption product.
The source code actually says "FIXME - need to add parameter validation."
So instead of spending a few minutes adding input sanitisation, the
developers just added a reminder that none exists and shipped the
product as-is. One of those face slap moments.
On Wed, May 1, 2013 at 8:36 PM, Thierry Zoller <thierryzoller.lu> wrote:
> You got to be kidding me...
>> FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY
>> When the FortiClient VPN client is tricked into connecting to a proxy
>> server rather than to the original firewall (e.g. through ARP or DNS
>> spoofing,) it detects the wrong SSL certificate but it only warns the
>> user _AFTER_ it has already sent the password to the proxy.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/