TEXT   6

LESSONS.txt

Guest on 29th August 2021 06:31:22 AM

  1.  
  2. Game-security bug lessons:
  3. --------------------------
  4.  
  5. DSA-334, 354, 356, 368, 369...
  6.  
  7. - vulnerability in application setGID games = compromise of users
  8.   running any games in the system
  9.  
  10. #291613
  11.  
  12. - setGID games should not write in user's dirs without dropping privs
  13.  
  14. Are global hiscores worth it?
  15.  
  16.  
  17. #255434
  18.  
  19. - Some security bugs are not fixed by (almost) MIA maintainers even if
  20.   they are oneliners.
  21.  
  22. - Non-free stuff is not security supported (but our users might not
  23.   be that much aware of it)
  24.  
  25. #287604 lessons:
  26.  
  27. - obsolete software bug-ridden gets into our stable release
  28.  
  29. #287651 lessons:
  30.  
  31. - ancient (and unaudited) software contains lots of security bugs
  32.  
  33. - maintainers (wishfully) think that bugs in old versions is not present
  34.   in newer ones
  35.  
  36. #323386 lessons:
  37.  
  38. - Maintainers sometimes fix security bugs in unstable (through upstream)
  39.   but neglect to fix them in stable or maintain the bug for testing!
  40.  
  41. #291635 lessons:
  42.  
  43. - Unaudited software should not be used in CGI gateways
  44.  
  45. #291389 lessons:
  46.  
  47. - Some programing languages don't provide easy-to-use security functions
  48.  
  49. #289562 lessons:
  50.  
  51. - Make sure the files belong to the proper users when checking their
  52.   existance
  53.  
  54. #334616 Lessons
  55.  
  56. - Most software does not need root privileges to run
  57.  
  58. - Network attacks restricted to localhost = local attacks
  59.  
  60. - A network server should use authentication
  61.  
  62. DSA 656
  63.  
  64. - Disable a server is no security measure, users will start it up
  65.   Design it properly for this event.
  66.  
  67. - Maintainers don't heep upstream's comments (INSTALL file, 'don't run
  68.   as root!')
  69.  
  70. - It's difficult to do a redesign in a DSA (#287899)
  71.   (overwrite any file -> write anywhere as root)
  72.  
  73. - Don't invent new protocols without authentication
  74.  
  75. DSA-893 lessons:
  76. ---------------
  77.  
  78. - Upstream doesn't always know how to fix security bugs
  79.  
  80. - Security bugs of some packages might affect other packages with
  81.   common codebase
  82.  
  83. - It's better to restrict access to sensitive web interfaces by default
  84.   (security bug in default install -> security bug enabled by admin)
  85.  
  86. - Fixes for SQL injection bugs and XSS bugs in PHP apps are similar:
  87.   check your input!
  88.  
  89. - A security fix is not always 100% thorough ("time to fix" pressure)
  90.  
  91. Temporary audit:
  92. ---------------
  93.  
  94. - Software does not use $TMPDIR but hardcodes /tmp
  95.  
  96. - Many situations (persistence), temp files should be on user's directories
  97.   instead of under /tmp

Raw Paste


Login or Register to edit or fork this paste. It's free.