Hi Harlan
Thanks for the reply, it was an interesting read.
>> Perhaps. What is the real risk of destroying
>> configuration files, if backups are being made?
They restore from backup, someone erases them again, they restore, someone erases
again, they restore...
>> Also, think carefully about this situation. Are you
>> angry (you did type "grrrr" at one point) b/c the
>> vendor isn't responding in the manner that *you* think
>> they should?
I would like to say that yes, I am none too happy with the way the vendor has reacted
to this. And I shall explain why. I am responsible for few of the production sites
exposed and vulnerable to this flaw since they run this product. And there is nothing
I can do to fix them since the flaw is core to the product. If this is known to anyone
outside of the vendors team, my servers are roadkill. And this thought doesnt really
give me a warm feeling inside.
Having said this I am not gonna go stark raving mad or do anything irresponsible. I
have already notified the admins of the public sites I came across (I just googled and
found these, there may be many more) and have mailed them other possible loopholes
which I have already closed on my boxes, but not the current one, since I dont know
how to close it myself. Some of the admins didnt have the tech knowhow so I sent them
the fixes. As Gadi, Chris and morning_wood have mentioned, I have given prior
information to the vendor and have even asked permission for this to be published,
which was granted (to my surprise) I had even gone to the extent of asking for a
security expert on the vendors side to be involved in the mails, since I realised that
the chap I talked to (an expert in that component) didnt know too much about security
("Whats this Bugtraq and Full Disclosure that you keep mentioning ??" was his reply).
well no one from security was made available. I gave up after th!
at.
>> Uhm..."mailto:[EMAIL PROTECTED]"???
>> (did I miss something obvious in your question?)
I just wanted to know if there is a procedure to this, Got the answer from the other
folks. thanks guys...
>> You don't want to come across as someone who's upset
>> b/c you found your first vulnerability and you don't
>> think the vendor is taking it as seriously as you
>> think they should.
Lets put it this way...I am upset *because* I found a vulnerability :):)
Thanks all for your comments, I think I know what to do now.
Regards
Steven Rebello
-----Original Message-----
From: Harlan Carvey [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:33 PM
To: [EMAIL PROTECTED]
Cc: Steven Rebello
Subject: Re: [Full-Disclosure] Vendor casual towards vulnerability found
in product
Steven,
One bit of advice...to quote Morpheus, "welcome to the
desert of the real."
> 1. Would an exploit like this be said to be severe?
Perhaps. What is the real risk of destroying
configuration files, if backups are being made?
> 2. Is the vendor right in their approach to this
> issue?
They seem to think so.
> 3. How do I make public the vulnerability? (Vendor
> has given permission for the same)
Uhm..."mailto:[EMAIL PROTECTED]"???
(did I miss something obvious in your question?)
> 4. Ok, I'll rather ask... *should* I make public
> details of this
> vulnerability? (Since I know of sites using this app
> server, and they may be
> taken down if the exploit goes out)
Well, since you know of the sites, maybe you could
start by going to those folks and explaining the issue
to them...what happens, what's the effect, and how to
protect against. If the vendor isn't dealing w/ it in
(in your opinion) a timely manner, or isn't dealing w/
it in the way you think they should, then releasing it
to the public (since, as you say, they've given their
permission) might be a way to go. Or maybe first
releasing it to the folks using the product, and
telling them that on such-and-such a date you're going
to release it to the general public...that might be
another option.
One trap you have to avoid falling into is coming
across sounding like a nut. If you decide to publish
this vulnerability to the general public, understand
that putting things like "shout outs to my peeps" and
"f*ck you's" in the posting will very likely reduce
your overall credibility.
Also, think carefully about this situation. Are you
angry (you did type "grrrr" at one point) b/c the
vendor isn't responding in the manner that *you* think
they should? After all, according to your own post,
they've been aware of the vulnerability for a while,
and haven't dealt with it to your
satisfaction...which, unless you've been under a rock
for the past 5 yrs, is nothing new. Maybe the vendor
knows about it, but hasn't taken what *you* would
consider to be adequate action b/c they haven't
received any (or that many) reports from customers
about this situation. When you're dealing w/ a
company like the one you're talking about, what they
focus on at any given time is driven by economics.
You don't want to come across as someone who's upset
b/c you found your first vulnerability and you don't
think the vendor is taking it as seriously as you
think they should.
MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek
Limited, unless specifically indicated to that effect. Mastek Limited does not accept
any responsibility or liability for it. This e-mail and attachments (if any)
transmitted with it are confidential and/or privileged and solely for the use of the
intended person or entity to which it is addressed. Any review, re-transmission,
dissemination or other use of or taking of any action in reliance upon this
information by persons or entities other than the intended recipient is prohibited.
This e-mail and its attachments have been scanned for the presence of computer
viruses. It is the responsibility of the recipient to run the virus check on e-mails
and attachments before opening them. If you have received this e-mail in error, kindly
delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
