Hi,
i asked Björn Schotte (CEO Mayflower GmbH) if it would be possible to 'scan' phpMyAdmin for vulnerabilities using chorizo (for free)
he said yes if they could publish some case study, press release or something similar
Marc? do you think this is possible?
* https://chorizo-scanner.com/ * http://mayflower.biz/
CC: Björn Schotte schotte@mayflower.de
Sebastian Mendel a écrit :
Hi,
i asked Björn Schotte (CEO Mayflower GmbH) if it would be possible to 'scan' phpMyAdmin for vulnerabilities using chorizo (for free)
he said yes if they could publish some case study, press release or something similar
Marc? do you think this is possible?
Yes. Let's hope we have some free time to fix the issues!
CC: Björn Schotte schotte@mayflower.de
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
i asked Björn Schotte (CEO Mayflower GmbH) if it would be possible to 'scan' phpMyAdmin for vulnerabilities using chorizo (for free)
he said yes if they could publish some case study, press release or something similar
Marc? do you think this is possible?
Yes. Let's hope we have some free time to fix the issues!
i don't think that they will release any disclosure before we find the time and can fix this
not like other security people holding pistols on our head to release by a rush ... ;-)
i think Björn will reply with information how he/we will handle the next step ...
and thanks in advance Björn
Hi Sebastian, Marc, Björn & list,
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
i asked Björn Schotte (CEO Mayflower GmbH) if it would be possible to 'scan' phpMyAdmin for vulnerabilities using chorizo (for free)
he said yes if they could publish some case study, press release or something similar
Marc? do you think this is possible?
Yes. Let's hope we have some free time to fix the issues!
I think, that this is a good idea. Scanners like Chorizo are helpful, but unfortunately people who want to hack a php application are able to use them too. This is why we probably should know about vulnerabilities those scanners will find. The mayflower guys showed me Chorizo a couple of times at the php conferences and it looked pretty good. I haven't used it myself yet, though.
Scanning phpMyAdmin once with the full version of Chorizo would be a good thing to do - as long as Björn waits with the publication of his case study/press release until the vulnerabilities found have been fixed. And if you would need some additional manpower for the fixing, I'll be at your service. :-)
But as the development goes on, it is likely, that new vulnerabilities find their way into phpMyAdmin. So, some agreement that allows the team to at least scan betas and RCs of planned major releases would be way more helpful, imho. Unfortunately, a Chorizo license is unaffordable for open source projects like phpMyAdmin, that don't have a big company in the background. :-/
Anyway, there is also a free version. Let's give that one a try.
Regards,
Alexander