Re: ARSWiki: New Article

Wed, 02 Aug 2006 08:20:38 -0700 

See coments below.

Axton

On 8/2/06, Lucero, Michelle - IST contractor <[EMAIL PROTECTED]> wrote:

This is very interesting stuff, Axton.

Can you help clarify this statement for me?

"At the time the last affected version (v6.3) is no longer 'officially'
supported by the vendor, the full vulnerability will be published."

My interpretation is that the full vulnerability will be published when
6.3 is no longer supported.  Although, we can easily guess what the full
vulnerability is by the description in the article(s), can't we obtain
the full vulnerability statement from BMCRemedy Tech Support?

I won't comment on this.


Also, if one's servers are not exposed to the internet, wouldn't the
only attack be internal, especially if the Remedy Email engine is not
accepting incoming email.

This is true for the RappSvc account.  The email DoS does not apply to
incoming email if you do not have incoming email configured; though it
still applies to internal exploitation.


On another note.  For the Secure ARS article.  Most of the instructions
appear to be listed for ARS 6.01.  Do the same instructions apply if
individuals are using 6.3 products; including Flashboards?

Contributions are welcome.  I am working in a 6.0.1 environment, so
this is what I write about. :)


Thanks again for this great information.
Michelle

-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Axton Grams
Sent: Tuesday, August 01, 2006 9:35 PM
To: [email protected]
Subject: ARSWiki: New Article

A new article is available on ARSWiki covering known, unaddressed
security vulnerabilities in Remedy and Remedy related products.  I have
posted three vulnerabilities that I found first-hand.  There is interest
in the following types of vulnerabilities, if anyone can contribute:
- XSS (cross-site scripting) vulnerabilities in Mid-Tier 6.0.1, 6.3, and
7.0
- DoS vulnerabilities via api calls.  e.g., call x with parameter y
causes ARS to crash

http://arswiki.org/wiki/index.php?title=ARS_Vulnerabilities

Thanks,
Axton Grams

________________________________________________________________________
_______
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org

_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org



_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org

Reply via email to