[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for
SAP NetWeaver
Please refer to http://www.esnc.de for the original security advisory,
updates and additional information.
1. Business Impact
That's an argument (thanks) ... Nop I'm still a bit utopist and I cannot
stand seeing people pay for corporation's mistakes.
You're right , but then it's a fight against software industry that you're
doing, and fuck the causalities...
I guess all of us kinda make the right balance in the end anyw
Valdis,
You are teaching me how to behave, outsourcing _your problems_ to me.
Let me suggest you ``responsible people'' fix the problem yourselves.
One approach is to work hard, find the bugs and report them --
in this case you won't depend on people like me.
It ain't going to be easy, future ver
On Tue, Apr 23, 2013 at 05:12:17PM +0200, Gregory Boddin wrote:
> You have to think about end-users as well ... Those are impacted first, not
> the vendors.
>
So microsoft took users' money and _I_ should take care of microsoft's
users helping m$ make more money?
You mad bro?
__
valdis.kletni...@vt.edu wrote:
> On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said:
>
> > Easy and nonsense, I really hope you don't think this is about credit.
>
> I mention the credit issue only because some people *have* gotten peeved
> when they contact a vendor and the vendor issues an
On Tue, 23 Apr 2013 12:54:42 -0400, Gary Baribault said:
> I hope we are all here for our users and customers.
The problem is that what my users and customers want is different
from what other researcher's users and customers want
pgphJC5TPnWKk.pgp
Description: PGP signature
And any vendor who says it will take 18 months to fix this, tough, give
them whatever you feel is reasonable, tell them when you will be
releasing and then go, but keep in mind, fixing a bug that affects
Windows XP, Vista, 7, 8, 2003, 2008 and 2012 will take longer than
fixing a bug in VLC. Yes we
On Tue, 23 Apr 2013 09:51:55 -0500, Georgi Guninski
wrote:
IMHO nobody should bother negotiating with terrorist vendors.
Open source programmers: the new terrorists of the 21st century
___
Full-Disclosure - We believe in it.
Charter: http://lists
Please remember that the title of the list is "full disclosure" not
"responsible disclosure". This is not a corporate list and nobody have
to act responsible if they don't want so. They are old enough to judge
what they do.
Some people are in the security field just for the fun part, that's not
th
Someone earlier (in another thread?) mentioned notifying the vendor
first and, if they don't respond within a week or some other reasonable
period of time, going public with the 0day and a clear conscious. And I
completely agree- at least make an effort to let the vendor know before
you go publ
On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said:
> Easy and nonsense, I really hope you don't think this is about credit.
I mention the credit issue only because some people *have* gotten peeved
when they contact a vendor and the vendor issues an advisory that doesn't
give them a shout-out
valdis.kletni...@vt.edu wrote:
> On Tue, 23 Apr 2013 17:51:55 +0300, Georgi Guninski said:
> > Completely disagree.
> >
> > IMHO nobody should bother negotiating with terrorist vendors.
> >
> > Q: What responsibility vendors have? A: Zero. Check their disclaimers.
>
> And disclaimer or no disclai
And oh so easy. Most of us know Georgi, but I do think it's unfair to
label all software firms as Terrorists. That term is used much too
easily these days IMHO. Sure some of them don't like to work with us,
but it has been my experience that most will, and if they don't, like
Valdis says, go from p
On Tue, 23 Apr 2013 17:51:55 +0300, Georgi Guninski said:
> Completely disagree.
>
> IMHO nobody should bother negotiating with terrorist vendors.
>
> Q: What responsibility vendors have?
> A: Zero. Check their disclaimers.
And disclaimer or no disclaimer, there's a lot of vendors who want to
Do T
Henri Salo wrote:
> On Tue, Apr 23, 2013 at 02:58:43PM +0300, Georgi Guninski wrote:
> > please don't spam your opinion on every message you dislike.
> Point of contacting vendor is to get the issues fixed without creating
> unnecessary security risks to users of the program.
Perhaps you don't r
I look forward to see who wins in this argument over personal opinion.
On Tue, Apr 23, 2013 at 4:12 PM, Gregory Boddin wrote:
> You have to think about end-users as well ... Those are impacted first,
> not the vendors.
>
>
>
>
>
> On 23 April 2013 16:51, Georgi Guninski wrote:
>
>> Completely
You have to think about end-users as well ... Those are impacted first, not
the vendors.
On 23 April 2013 16:51, Georgi Guninski wrote:
> Completely disagree.
>
> IMHO nobody should bother negotiating with terrorist vendors.
>
> Q: What responsibility vendors have?
> A: Zero. Check their dis
Completely disagree.
IMHO nobody should bother negotiating with terrorist vendors.
Q: What responsibility vendors have?
A: Zero. Check their disclaimers.
On Tue, Apr 23, 2013 at 04:14:53PM +0200, Gregory Boddin wrote:
> That's indeed not rocket science.
>
> Nobody should release their disclosu
That's indeed not rocket science.
Nobody should release their disclosure/exploit (or give hint about it) in
the wild before letting the vendor fix it.
There's already enough blackhats out there selling/using those.
I sure hope I am not the only person in the list who wishes responsible
> disclos
On Tue, Apr 23, 2013 at 02:58:43PM +0300, Georgi Guninski wrote:
> please don't spam your opinion on every message you dislike.
I did not dislike the message. I believe they are making some good research.
> counterspam: if you ask me, don't notify the vendor unless there is
> some good external
On Mon, Apr 22, 2013 at 05:48:22PM +0300, Henri Salo wrote:
>
> Please follow responsible disclosure and report issues first to the vendor and
> go public after waiting for a fix (or no reply). VLC usually replies to
> important issues very fast. Please contact me in case you need a hand in
> comm
On Mon, Apr 22, 2013 at 03:10:19PM +0200, Jann Horn wrote:
> Hello,
> does anyone know how I can contact Vodafone Security (preferably a
> Germany-specific group because I have no idea whether the issue
> affects people in other countries, too)?
Thanks for all the replies. I sent a mail with detai
If its urgend: Try looking someone up in xing and contact him. Keywords
vodafone, eschborn and maybe Cisco asa (they use them). Always works for me.
Am 22. April 2013 15:10:19 schrieb Jann Horn :
Hello,
does anyone know how I can contact Vodafone Security (preferably a
Germany-specific group
23 matches
Mail list logo