Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Site Vulnerabilities

from [Yvan G.J. Boily] Network Security [Permanent Link]
Subject: RE: Web Site Vulnerabilities
Date: Tue, 26 Oct 2004 10:26:33 -0500 
Your course of action is dictated by the amount of liability and 
confidentiality you have assumed.

If you have signed an NDA then there is little you can do after explaining the 
issue.  If there is no NDA and you feel confident
that you are correct you can inform them that you will go public with your 
information in a reasonable period of time.  

If you choose to go public, then allow them the opportunity to correct the 
issue before going public, and make sure that there is
nothing (i.e. DMCA and such) which could be used to assign legal liability to 
you.

Realistically speaking though, if they don't believe it is an issue, and you 
have tried to educate them, then you have done the best
you can.  Sometimes organizations have to put their hand in the fire before 
they understand what it feels like to get burned.

Yvan

-----Original Message-----
From: Cory Foy [mailto:usergroup@cornetdesign.com] 
Sent: Monday, October 25, 2004 6:43 PM
To: secprog@securityfocus.com
Subject: Web Site Vulnerabilities

Recently I came across two web sites that had various vulnerabilities. 
One was subject to a basic SQL injection attack to log in to their customer 
side, and the other was displaying ASP code in the page
that listed not only various function definitions, but login, URL and passwords 
(including sa) for their database.

In both cases I have working relationships with the managers and sent an email 
off to them. In both instances the managers replied
that they were aware of the issues and the SQL injection attacks, but didn't 
feel it was a priority to fix.

On one of the sites I could understand. It is basically a portal to publically 
available information, and no secure information is
stored in their system. The second was on a machine that passed authentication 
information to a remote banking site and though I
don't know, would surmise that it might be possible to jump off of it if 
compromised.

Have we really become so lax in our thinking that security issues such as these 
can be shrugged off? Don't get me wrong, I'm not
suggesting that either of these cases should kill all development and 
immediately fix it (though in the case of SQL injection
attacks it is so easy to fix...). But some response should at least be 
justified (for example, with the banking site, whose vuln is
still present). Or is it fine to postpone worrying about problems such as these 
if you don't think they will have an impact?

Cory
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Web Site Vulnerabilities, Cory Foy
Next by Date:  Re: Web Site Vulnerabilities, Jeff Bryner
Previous by Thread:  Web Site Vulnerabilities, Cory Foy
Next by Thread:  Re: Web Site Vulnerabilities, Jeff Bryner
Indexes:  [Date] [Thread] [Top] [All Lists]