Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez Garcia-Hierro: > Hi all, > Some people is a little confused with the NASA related security > issues and my advisory, > so i'm explaining the confusing things: > > 1.- Every time NASA staff was knowing what i was doing , i sent > messages to administrators before doing anything. > > 2.- John R. Ray of the NASA Competency Center ( Information > Technologies Security ) contacted me for solve the issues. > > 3.- The report was completely closed to public access when the > systems were vulnerable > > 4.- I provided an accesscode to see the advisory for the NASA staff.
leet > 5.- I was everytime testing the vulnerabilities and when i found that > the most important were patched i make public with some restrictions > the advisory. > > 6.- Of course , i wrote a disclaimer that can be found in the main > web site and http://advisories.nsrg-security.com/disclaimer.txt > > 7.- A mail log that has all the exchanged mail between NASA staff and > me ( and action log too with dates and details ) is available at: > http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt > So ,please , be careful saying that i made it public without > contacting before the NASA staff. pretty cool, man! > 8.- In the report there is no private information about NASA nor > working exploits against important security holes like sql > injections. multo importante! > 9.- ScreenShots are modified for remove private url addresses ( like > www.nasa.gov portal admin access ) 0day screenshots? > 10.- Some people was saying that i wanted fame doing it , definately > not , i made it for demostrate that web security is a real problem > and a thing that must be included in security policies of the > enterprises. now i see it's not about fame. naming "NASA" +10 times is just to sound...erm trustworthy. > The next generation of hackers will can make damage against servers > with the only help of a web navigator, the web browser will be a > really dangerous hacking tool, and it is not the future , it is now , > just see last advisories about phpnuke , etc > yeah that's realy interesting! i've just started writing my new 0day browser with neat phpnuke sploiting capability!! > 11.- The communication between NASA staff and me was completely clear > except that i didn't received response after i sent a message > confirmand that the report was finished an they had the access code > to see it. > > CONCLUSIONS > > It was a completely clear job between NASA staff and me , they were > really fast patching ( one day ) and really fast replying my first > email. > > The important thing is that NASA staff knows now wich risk has web > applications security and how to solve web application securiuty > issues. saint lorenzo! and thanks for letting all of us know what you've done! > Everything in this life has a final mean , in this case : web > security must be treated as other security issues , if not , you are > in risk clear thing! > How much times i must rewrite this mail ? we'll see.. > Best regards and thanks to all members of Ful-Disclosure, -- -q/UNF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
