Re: [Full-Disclosure] iDEFENSE Security Advisory 08.18.04: Courier-IMAP Remote Format String Vulnerability

From: Kyle Maxwell (krmaxwell_at_gmail.com)
Date: 08/18/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:085 - Updated qt3 packages fix multiple vulnerabilities"
    To: customerservice@idefense.com, full-disclosure@lists.netsys.com
    Date: Wed, 18 Aug 2004 15:58:13 -0500
    
    

    On Wed, 18 Aug 2004 12:32:55 -0400, idlabs-advisories@idefense.com
    <idlabs-advisories@idefense.com> wrote:
    > Courier-IMAP Remote Format String Vulnerability
    >
    > iDEFENSE Security Advisory 08.18.04
    > www.idefense.com/application/poi/display?id=131&type=vulnerabilities
    > August 18, 2004

    [snip]

    > The vulnerability specifically exists within the auth_debug() function
    > defined in authlib/debug.c:
    > VIII. DISCLOSURE TIMELINE
    >
    > 08/10/2004 Initial vendor contact
    > 08/10/2004 iDEFENSE clients notified
    > 08/11/2004 Initial vendor response
    > 08/18/2004 Public disclosure
    >
    > IX. CREDIT
    >
    > An anonymous contributor is credited with discovering this
    > vulnerability.
    >
    > Get paid for vulnerability research
    > http://www.idefense.com/poi/teams/vcp.jsp
    >
    > X. LEGAL NOTICES
    >
    > Copyright (c) 2004 iDEFENSE, Inc.

    It's interesting to note that this was reported in March 2004 and
    reported at http://www.securityfocus.com/bid/9845. The CVE project had
    already announced an ID (see
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0224 or
    your preferred CVE database). Unless there's something substantially
    new here, iDEFENSE is charging customers for (and trying to gain
    reputation based on) information that is months old without even
    giving credit where its due. Perhaps the concept of plagiarism is
    worth reviewing here.

    -- 
    Kyle Maxwell
    krmaxwell@gmail.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:085 - Updated qt3 packages fix multiple vulnerabilities"

    Relevant Pages

    • RE: Consulting Question
      ... if in fact what you found was a zero day. ... go about informing the company about this vulnerability without them ... assistance I have a second question (concerning credit for finding such ...
      (Security-Basics)
    • Update: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerability
      ... Hash: SHA1 ... he had already discovered various components of this vulnerability. ... The CREDIT section of http://www.idefense.com/advisory/11.19.02b.txt ... Thanks to Paul Szabo for bringing this to ...
      (Bugtraq)
    • [Full-Disclosure] Update: iDEFENSE Security Advisory 11.19.02b: Eudora Script Execution Vulnerabilit
      ... Hash: SHA1 ... he had already discovered various components of this vulnerability. ... The CREDIT section of http://www.idefense.com/advisory/11.19.02b.txt ... Thanks to Paul Szabo for bringing this to ...
      (Full-Disclosure)
    • Re: Consulting Question
      ... the problem in security lists like this one. ... company about this vulnerability without them leaving you 100% out of ... assistance I have a second question (concerning credit for finding such ... What is the proper/ethical protocol for publishing a ...
      (Security-Basics)
    • Re: Consulting Question
      ... Usualy companies trust 3rd party consultants more than someone from outside, because such consultants are damn expensive, so they must be damn good. ... Considering some draft about how to publish a vulnerability, if you sum up my previous statements and can anonymize that so far to get out of any risk, i think you can check ... that could lead to potential identity theft and system compromise. ... assistance I have a second question (concerning credit for finding such ...
      (Security-Basics)