Posted June 7 2009
A series of regex-writing challenges.
A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.
I needed some valid SWF files with constrained character sets for an injection PoC. Putting them here in case someone else needs some.
PHP has finally taken the plunge into the 1960s by implementing GOTO. Here's an implementation for Java.
Unofficial Java Vulnerability Fix
A patch for a serious Java bug. No longer needed as of June 16.
What is this?
This has been exploited by such unscrupulous people as me, for the multitouch demo. Luckily there haven't been any reports of malicious exploits yet (as far as I know). It would be almost trivial to use this to install malware.
This page gains access using that security hole, then patches the bug so it can't be exploited again. Scroll down the page and click the 'Start' button.
The vulnerability is CVE-2008-5353. An official fix is available, but only with the latest Java beta and only for registered ADC members. For this criticial a vulnerability, that's just not good enough.
The bytecode for Calendar.readObject() is patched (using the wonderful ASM library) to replace the single call to AccessController.runPrivileged with a version which provides only the required privileges (access to sun.util.calendar) rather than full system access.
Replacing the jar file at...
... requires administrator access, so a small C stub is used to call AuthorizationExecuteWithPrivileges. You will be required to authenticate with an administrator password.
The original classes.jar file will be left in /tmp as a backup.
The patch will be overwritten when the official patch from Apple is finally released.