On 12/21/05, GroundZero Security <[EMAIL PROTECTED]> wrote: > > are we starting to post vulnerabilities in specific websites now rather than > daemons/clients etc. ?
When it's a website with a user-base as large as what Google has, yes. When there is a possibility that user accounts can be compromised, yes. > i mean there are thousands of websites which are vulnerable to xss,sql > injection or worse because of their > custom scripts. Sure, but "google != howardsblog.com". A large part of the population (including myself) relies on Google's various services for day-to-day use. I sure as hell would not feel comfortable knowing that I'm using a service that can potentially leak my information. If there is a vulnerability, no matter how trivial, the public needs to know. > in my opinion this should be posted to the website owners if > you feel like, but its of no real use > to the security community. That's quite a blanket statement to make. I'm sure a few people in the "security community" would like to know that there exists a vulnerability in a Google service. > hm another thing i'm wondering about is, is it > legal to just audit a website without > asking the owner if its ok ? No. But a site need not be audited to discover a bug. > how will he know its not a real attack? ok as > for xss there cant be much harm done > to the server itself, XSS can do a lot of harm. A compromised administrator account is generally a compromised server. There are some good XSS resources on the web you can read up on. The bug that was discovered by the parent poster may not lead to a server compromise; but that is no reason to discount or underestimate XSS. > but what if, for example, you cause a DoS through > testing certain variables for overflows ? Then, my friend, you have discovered a bug. Mohit. -- Mohit Muthanna [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
