I guess you would call an attack 'external' when the attack occurs from outside the server, without the need of having an account on this server. Of course, when your server is only connected to a local network, the attacker has to gain access to this local network first.
--
Michiel
On 8/2/06, Lucero, Michelle - IST contractor <[EMAIL PROTECTED]> wrote:
This is very interesting stuff, Axton.
Can you help clarify this statement for me?
"At the time the last affected version (v6.3) is no longer 'officially'
supported by the vendor, the full vulnerability will be published."
My interpretation is that the full vulnerability will be published when
6.3 is no longer supported. Although, we can easily guess what the full
vulnerability is by the description in the article(s), can't we obtain
the full vulnerability statement from BMCRemedy Tech Support?
Also, if one's servers are not exposed to the internet, wouldn't the
only attack be internal, especially if the Remedy Email engine is not
accepting incoming email.
On another note. For the Secure ARS article. Most of the instructions
appear to be listed for ARS 6.01. Do the same instructions apply if
individuals are using 6.3 products; including Flashboards?
Thanks again for this great information.
Michelle
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[email protected]] On Behalf Of Axton Grams
Sent: Tuesday, August 01, 2006 9:35 PM
To: [email protected]
Subject: ARSWiki: New Article
A new article is available on ARSWiki covering known, unaddressed
security vulnerabilities in Remedy and Remedy related products. I have
posted three vulnerabilities that I found first-hand. There is interest
in the following types of vulnerabilities, if anyone can contribute:
- XSS (cross-site scripting) vulnerabilities in Mid-Tier 6.0.1, 6.3, and
7.0
- DoS vulnerabilities via api calls. e.g., call x with parameter y
causes ARS to crash
http://arswiki.org/wiki/index.php?title=ARS_Vulnerabilities
Thanks,
Axton Grams
________________________________________________________________________
_______
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
__20060125_______________________This posting was submitted with HTML in it___
