Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: mod_ibm_ssl & mod_ssl

from [Esteban Martinez Fayo] Network Security [Permanent Link]
Subject: Re: mod_ibm_ssl & mod_ssl
Date: Wed, 12 Oct 2005 13:14:31 -0700 (PDT) 
Hi,

IBM rarely issues advisories, not because their
products don't have security bugs, but because they
don't want the people to know about them.
I discovered and reported to them some vulnerabilities
in IBM WebSphere last year, some of them are fixed
now, but they never published advisories.

For example this one:
Remote Buffer overflow in WebSphere Application Server
Administrative Console
http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html
Has no advisory from IBM. They just included one line
of information in the List of Updates
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004990
as APAR PK02002.
As you can see the option for more information about
the APAR PK02002 is disabled, there is no link.

Also there is a cross site scripting that I discovered
that is fixed for IBM WAS version 5.
It is listed as fixed in APAR PQ99687 but there is no
advisory from IBM.

I don't think that hiding this kind of information
will make IBM customers to be more secure.

Regards,

Esteban Martínez Fayó
Argeniss - Information Security
http://www.argeniss.com



--- jipi dini <jipidini@gmail.com> wrote:


Hi,

   what is used in mod_ibm_ssl with WebSphere?
   I am wondering in an advisory affecting mod_ssl
is also affecting
mod_ibm_ssl.

  Seems like there is never any advisories relased
for WebSphere.
  This is built on top of apache right ?

--
Thanks,
JiPi DiNi





                
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Notes from CISSP class with Dr. Eric Cole, kgp
Next by Date:  RE: Notes from CISSP class with Dr. Eric Cole, Mark Roxberry
Previous by Thread:  mod_ibm_ssl & mod_ssl, jipi dini
Next by Thread:  Administrivia: CISSP thread, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]