Today I visited an irc channel where some core developers are having a chat. They hang out, they chit chat and sometimes even talk about php.
Was approached by a developer who stated he has the next big cool thing. A framework/objectbase that enables you to do anything (a very true statement). Somewhere in this talk it mentioned security. I’ve been out of this for a long time but it still has my private focus. I asked a few questions and the original coder asked me to audit it.
There are a few things I ask before I start auditing.
1. Is that your site?
2. Is your code security aware?
3. Do you mind a full disclosure after I have given you the time to fix it.
I still need the answer to item number 1. It took me a few minutes to create a username that only was visible for someone using the mysql commandline tool to look in the database. The admin interface did not show it.
If item 1 is answered and item 3 is answered positive a fix in my name might be posted by the creators.