Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Authentication (ACL) - Challenges - Solutions - Dilemmas
Authentication (ACL) - Challenges - Solutions - Dilemmas
  • El Forum
    Unregistered
  •  
#31
09-25-2008, 01:15 PM

[eluser]Randy Casburn[/eluser]
All,

I've updated the First Topic Post to make it clearer and summarize the key points.

Enjoy,

Randy
  • El Forum
    Unregistered
  •  
#32
10-05-2008, 01:25 PM

[eluser]manilodisan[/eluser]
Here's plurious in action: Smile
brawwwwrrr

you could, at least, escape your queries. See, we're getting to what a developer wants. I, as a developer, would surely want to secure my scripts but without access to the code and with such huge holes in the security I would ask for a refund.

And don't tell me that this is your site's login, not powered by plurious, coz I tested the demo too...
  • El Forum
    Unregistered
  •  
#33
10-05-2008, 02:08 PM

[eluser]Référencement Google[/eluser]
Randy, we need your explanation on this bug as you affirm to us "it’s more secure than any other CodeIgniter authentication capability in existence"
  • El Forum
    Unregistered
  •  
#34
10-05-2008, 02:12 PM

[eluser]manilodisan[/eluser]
[quote author="Randy Casburn" date="1222295196"]If you look at from a user’s perspective, Redux and others have more “features”. When you take the dress, or the pants, off Plurious Auth has more Chastity (it’s more secure than any other CodeIgniter authentication capability in existence.[/quote]
  • El Forum
    Unregistered
  •  
#35
10-05-2008, 02:23 PM

[eluser]Pascal Kriete[/eluser]
What worries me most here is what people might do. If you're inclined to attempt hacking the script, do NOT touch the client login.

A client login should not be abused as a SQL injection testing ground under any circumstances. You could potentially have a strong negative effect on someone's business. Use the demo or better yet, don't do it.

@randy At the very least turn off error reporting.
  • El Forum
    Unregistered
  •  
#36
10-05-2008, 02:26 PM

[eluser]manilodisan[/eluser]
The client login is powered by the same script. What worries me most is that someone's bad business could affect my personal life as a customer since their auth. system is powered by something that lacks when it comes to security and could be easily hacked. You could take it this way too...

BTW...I tested the demo first and than got curious to see if he's really using the same script.
  • El Forum
    Unregistered
  •  
#37
10-05-2008, 02:35 PM

[eluser]Pascal Kriete[/eluser]
Manilodisan, it wasn't aimed directly at you, but the people who may now do dumb things. Finding security issues is a good thing.

What I will say though, it doesn't sound like you contacted Randy before disclosing this vulnerability. Some very clever folks have written up guidelines for this kind of thing. If someone finds a vulnerability in your own software, I think you would want them to extend the same courtesy to you. A fix is infinitely more important than immediate public disclosure.
  • El Forum
    Unregistered
  •  
#38
10-05-2008, 02:37 PM

[eluser]manilodisan[/eluser]
You're right @inparo. I got caught in the "more secure than any other CodeIgniter authentication capability in existence" since I'm offering a similar tool. Anyways...it's called "getting a script mature".
  • El Forum
    Unregistered
  •  
#39
10-05-2008, 02:40 PM

[eluser]Randy Casburn[/eluser]
[quote author="manilodisan" date="1223252710"]And don't tell me that this is your site's login, not powered by plurious, coz I tested the demo too...[/quote]

Nope. I pushed a pre-production file by mistake. The wrong file went up to the server. It happens. I'm sure you never make mistakes.

It's fixed. Not because this fine competitor was attempting to get support as a paying customer.

What I find interesting is that a competitor, with little interest other than discrediting my attempts at providing a good product has had weeks to demonstrate an exploit. This is the best he can come up with. So I'm going to assume, as he has leaped off the deep end in his posts several times, that he has spent these weeks since my product announcement trying to exploit my capability. But after weeks and weeks of trying this is the only feeble way he could find to discredit the product.

I'd say that's pretty sweet actually.

@manilodisan - Thanks for the credibility boost there manilodisan.

=====

I'm also glad to see the thread taking on interest again.

=====

Sorry for the scare everyone -- I didn't do that on purpose just to get attention ;-)

Randy
  • El Forum
    Unregistered
  •  
#40
10-05-2008, 02:47 PM

[eluser]manilodisan[/eluser]
I'm not a competitor Randy. I open sourced webber. It didn't took me weeks to exploit it but 1 second (proud?). I visited your page 3 times and all of the times during our conversations in this thread and without any attempt to hack it since I was more than sure that a man who writes ACL's should know the very least of programming principles: security!

Quote:So I’m going to assume, as he has leaped off the deep end in his posts several times, that he has spent these weeks since my product announcement trying to exploit my capability. But after weeks and weeks of trying this is the only feeble way he could find to discredit the product.

don't get caught in this game Randy, you're slipping...

Quote:I’m also glad to see the thread taking on interest again.
This is not a "thread interest" to make you happy "glad"




Theme © iAndrew 2016 - Forum software by © MyBB