El 08/10/2010 17:07, Ton Voon escribió:
On 8 Oct 2010, at 15:45, Jose Luis Martinez wrote:
To Mr. Kang:
Thanks for the report, but, please do not disclose vulnerabilites in
public forums without giving the vendor a chance to fix them before.
This way security updates get distributed in a timely fashion and
everybody benefits from your work in an ordered way.
I wouldn't want Mr. Kang to be offended. He did a great job, took the
time to test for security, and a bothered to update the vendor. The way
may not have been correct only IMHO, and I understand there are
defenders of "Full disclosure" and "Bug Secrecy", and even people in
between!
http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
Is a nice article.
Bruce Schneier elaborates on the different pros and cons of the two
approaches too: http://www.schneier.com/crypto-gram-0111.html
Just to defend Kang, we haven't stated how to contact us if you have a
security bug. We've updated the text at the top of the forum link:
Seeing that Mr. Kang knew the attack surface beforehand, I don't see any
problem with him disclosing the bug in the mailing list.
http://www.opsview.com/forums/opsview-community-edition/bug-reports
so you should email us about security bugs before publicly disclosing.
+1. I'd recommend putting an "I've found a security bug" in the
documentation on how to contact you.
I have also updated our incident tracker item
(https://secure.opsera.com/jira/browse/OPS-1379) with the conditions of
the bug. As this only happens when someone is already logged into
Opsview AND they have ADMINACCESS, I think the exposure is not so bad
(compared with any public user being able to execute arbitrary code).
Personally: Seeing the report, at first I got a bit scared. Since no
info was detailed in the patch, and the attack surface was unclear for
me: we applied the patch inmediately. We don't actively use NMIS, so I
really couldn't evaluate which logged in users could inject commands
into the system (I was aware that the user had to log in, though), and
since we hand out users to end users, it could be potentially dangerous.
Just for information, I've reported the bug back upstream to the NMIS
project ... on their mailing list. So I'm just as guilty as Kang :(
Point taken for next time.
Please accept my apologies if any of you have been offended. I fully
defend your right of full disclosure, although it's not my personal
preference, and hope you continue to fully disclose if that is your
personal preference :)
Jose Luis Martinez
[email protected]
_______________________________________________
Opsview-users mailing list
[email protected]
http://lists.opsview.org/lists/listinfo/opsview-users
