Archive for March, 2008

howto create an intermediate Certificate Authority (CA) using openssl

Thursday, March 20th, 2008

What is an Intermediate Certificate Authority (CA) and why do I need one? An Intermediate CA is an authority that you use to create your own SSL certificates in a PKI environment. An Intermediate CA depends on a Root CA that is the origin of the chain of trust. The idea is that if your Intermediate CA gets compromised or you decide to revocate all the certificates issued by it, you can still use your Root CA without further inconvenience for your users (the users only need to have installed the certificate of the Root CA in their browsers).

As for the second question, the sort answer is that chances are that you really do not need one :) but for the shake of the experiment lets get our hands dirty!
(more…)

Posted in Networking, Security | 7 Comments »

security advisory: Elastic Path Unrestricted Filesystem Access

Monday, March 10th, 2008

Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.

Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).

update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.
(more…)

Posted in Security | 3 Comments »

dradis v1.1 is out

Friday, March 7th, 2008

A new version of dradis, the information sharing tool for security teams, was released on the 29th of February. Some major changes were introduced from the first release back on December:-

  • New client GUI that runs in Linux, Windows and Mac OS (screenshots).
  • New web interface.
  • Improved step-by-step installation instructions.
  • New contributed modules:
    • Export your Knowledge Base to an XML file.
    • run nmap from dradis and store the results in the knowledge base.

If you want to give it a try, go to the download page. And please let me know any thoughts or feedback (remember that you can use the dradis development mailing list: dradis-devel).
(more…)

Posted in Ruby, Security | No Comments »