New revision of the application

2 views
Skip to first unread message

Giulio Cesare Solaroli

unread,
Oct 31, 2008, 6:28:20 AM10/31/08
to Clipperz
Hello,

we have just released a new version of the application; there are no
major feature in this version, but just some security fixes.

Most of the fixes are relevant only for future features of the
application (sharing), but some smart guys have found a vulnerability
on the direct login creation process that we have now fixed.

The vulnerability could be used by some ostile site to trick the
bookmarklet into collecting a "wrong" configuration that could inject
malicious code into the direct login. Clicking on the newly created
direct login would later activate the code that could compromise the
Clipperz account.

The changelog of the new revision is available here:
http://www.clipperz.com/reviewing_the_code/older_versions

These are the new checksums:
Size for file /index.html = 1580943
MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938
SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855


We are still working on a greatly improved version of the application,
but you need to be more patient for that.

Enjoy Clipperz.

Giulio Cesare

Giulio Cesare Solaroli

unread,
Oct 31, 2008, 10:33:16 AM10/31/08
to Clipperz
Hello,

we did not have time to upload the new version of the application,
that Collin Jakson, the PhD student that found the original
vulnerability on our code at the base of this new released, spotted a
weakness in our fix.

Needless to say, a new version is already online.

THANKS Collin!!

Revision: 1251
Size for file index.html = 1580949
MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc
SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096

Regards,

Giulio Cesare

PS: someone still believes that security by obscurity works better. We
obviously do not agree with this point of view, and we had our code
available for inspection since we started.
Even if very few people have the skills to actually inspect the code,
when someone finds a problem the benefits everybody gets are huge.

neoxx

unread,
Nov 1, 2008, 7:04:07 AM11/1/08
to Clipperz
hi,

thanks for the update. - unfortunately, the HTTP authentication
stopped working for both new and existing cards.

greetz,
bernhard

On Oct 31, 3:33 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com>
wrote:
> Hello,
>
> we did not have time to upload the new version of the application,
> that Collin Jakson, the PhD student that found the original
> vulnerability on our code at the base of this new released, spotted a
> weakness in our fix.
>
> Needless to say, a new version is already online.
>
> THANKS Collin!!
>
> Revision: 1251
> Size for file index.html = 1580949
> MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc
> SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
>
> Regards,
>
> Giulio Cesare
>
> PS: someone still believes that security by obscurity works better. We
> obviously do not agree with this point of view, and we had our code
> available for inspection since we started.
> Even if very few people have the skills to actually inspect the code,
> when someone finds a problem the benefits everybody gets are huge.
>
> On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
>

Giulio Cesare Solaroli

unread,
Nov 1, 2008, 9:31:42 AM11/1/08
to n...@neotrinity.at, Clipperz
Hello Neo,

thanks for the note. We are going to investigate the problem and fix
it as soon as possible.

Sorry for the trouble.

Regards,

Giulio Cesare

PS: we are working also to set up a suite of test in order to improve
our quality assurance, but it is not a trivial task to accomplish.

Giulio Cesare Solaroli

unread,
Nov 1, 2008, 12:41:16 PM11/1/08
to Clipperz, n...@neotrinity.at
Hello,

a new version is online that fixes the HTTP authentication problem in
direct logins.
The new version fixes also an issue in the creation of a new direct
login for a website using HTTP authentication.

Oddly enough, the two problems where due to completely different causes.

Since a few weeks, a new member has joined the Clipperz team: Marco
Fabbri. He will help us in keeping the development of the new version
of the application going. He will also help us answering users'
questions on this forum.


Build: 1253
Size: 1.581.061 bytes
MD5: e4e1 d179 f961 76c7 31db 315d 6b53 d0b1
SHA1: 6e4b 66e1 6c5b afa7 3b26 2da9 4aab 70f5 1036 f91a


Giulio Cesare

On Sat, Nov 1, 2008 at 12:04 PM, neoxx <n...@neotrinity.at> wrote:
>

neoxx

unread,
Nov 1, 2008, 12:58:58 PM11/1/08
to Clipperz
hi,

thanks for the quick fix. - it works again like a charm.

cheers,
bernhard

On Nov 1, 5:41 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com>

Marco Fabbri

unread,
Nov 6, 2008, 10:45:57 AM11/6/08
to Clipperz
Hello,

a new version is online that fixes a problem with HTML rendering for
Internet Explorer.


Build: 1262
Size: 1.572.491 bytes
MD5: ebfc 9559 30c6 e8b7 841f c855 22aa 5c42
SHA1: c8d8 97db fa08 409f f9bd 5339 9299 e726 9fbc 500f


Marco

=====
"We know nothing
— that is the first point.
Therefore we should be very modest
— that is the second.
That we should not claim to know when we do not know
— that is the third."

Karl R. Popper

Reply all
Reply to author
Forward
0 new messages