RE: [Full-Disclosure] Vendor casual towards vulnerability found in product

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 05/27/04

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Odd packet?" 
    To: <stevenr@mastek.com>, <full-disclosure@lists.netsys.com>
Date: Thu, 27 May 2004 09:15:37 +0530

    > 1. Would an exploit like this be said to be severe?

    yes i assume from your email that the url would have to recofig the server from the scratch then not serious but if any file can be deleted then it is serious

    > 2. Is the vendor right in their approach to this issue?

    no, the vendor should release a full advisory about this and at a minimum release the patch for this

    > 3. How do I make public the vulnerability? (Vendor has given
    > permission for
    > the same)

    google around the rain forest puppy's disclosure policy for this, it is really good for this

    > 4. Ok, I'll rather ask... *should* I make public details of this
    > vulnerability? (Since I know of sites using this app server, and
    > they may be
    > taken down if the exploit goes out)
    >

    don't make it public without giving all the people affected a chance to protect their system, however you may release something like a one line description of this and *not* give details to anyone except the vendor

    -aditya

    ________________________________________________________________________
    Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Odd packet?"

    Relevant Pages

    • Re: Delayed email from outside vendor or not arriving at all
      ... I understand that one vendor send email to ... your client will get Delivery Status Notification. ... I suggest we track the not receive email in your client SBS 2003. ... How to Enable Message Tracking Center on a Server ...
      (microsoft.public.windows.server.sbs)
    • [UNIX] Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, TOG-CUP, XI
      ... Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, ... Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index ... Local exploitation of an invalid array index vulnerability in the X.Org X ...
      (Securiteam)
    • Re: DHCP Vendor Classes
      ... i've been testing with Dell laptops too. ... Both Cisco and Dell are sending Vendor IDs, ... So I setup a vendor class for that ID, added an option 67 (boot filename), configured it, and tried to get it to take it - but the server doesnt hand it out. ...
      (microsoft.public.windows.server.general)
    • Advisory 13/2005: Remote code execution in SysCP
      ... Application: SysCP 1.2.10 and prior ... Vendor Status: Vendor has released an updated version ... hosting and co-location companies and can be used for complete server admin- ... Due to the sensitive nature of the vulnerability, ...
      (Bugtraq)
    • Re: DHCP Vendor Classes
      ... Both Cisco and Dell are sending Vendor IDs, ... So I setup a vendor class for that ID, added an option 67, configured it, and tried to get it to take it - but the server doesnt hand it out. ... So i'm now trying with option 67 instead, which in frame 692, it does ask for, though this isnt in the below trace. ... Your (client) IP address: 0.0.0.0 ...
      (microsoft.public.windows.server.general)
    • Quantcast