[Full-disclosure] Re: WebCalendar Multiple Vulnerabilities

From: ascii (ascii_at_katamail.com)
Date: 11/30/05

  • Next message: Michael Holstein: "Re: [Full-disclosure] SOX whistleblowers' clause Compliance"
    Date: Wed, 30 Nov 2005 15:10:41 +0100
    To: Paul Laudanski <zx@castlecops.com>, full-disclosure@lists.grok.org.uk, ml@sikurezza.org, bugtraq@securityfocus.com, news@securiteam.com, bugs@securitytracker.com, vuln@secunia.com
    
    

    Paul Laudanski wrote:
    > I too tried contacting the vendor but received no response. Your timing
    > of vendor notice and vul'n release are fast unfortunately. Taking a look,
    > simple functions in PHP can be called upon to fix those issues.

    thanks Paul for the cooperation : )

    i'm sorry i hadn't updated the advisory but now i done

    * * * *

    VI. VENDOR RESPONSE

    We had a response from Craig Knudsen, the project leader, on 20051128
    night. The same day the fast Craig resolved 3 of the 4 issues in the
    REL_1_0_0 branch of CVS, so soon a new version (probably 1.0.2) will be
    released to the public.

    * * * *

    also on the sourceforge project site there are these posts related to
    this advisory (thanks Craig for the links)

    http://sourceforge.net/forum/forum.php?thread_id=1392833&forum_id=11587
    http://sourceforge.net/forum/forum.php?thread_id=1393468&forum_id=11587

    http://sourceforge.net/mailarchive/forum.php?thread_id=9091328&forum_id=46247
    http://sourceforge.net/mailarchive/forum.php?thread_id=9089995&forum_id=46247

    ascii - http://www.ush.it
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Michael Holstein: "Re: [Full-disclosure] SOX whistleblowers' clause Compliance"

    Relevant Pages

    • Multiple Flaws in Huawei D100
      ... Huawei D100 firmware and its default configuration has flaws, which allows LAN users to gain unauthorized full access to device. ... This account has nothing in common with the administrator account in web based managment console. ... At the moment no fixes were provided by the vendor. ... No response from the vendor. ...
      (Bugtraq)
    • Multiple Flaws in Axesstel MV 410R
      ... conduct the attack. ... At the moment no fixes were provided by the vendor. ... No reasonable response from the vendor. ... Notification that bulletin will be released send to the vendor. ...
      (Bugtraq)
    • Re: Buyer Beware
      ... I liked Ryan's response, but I'll add my own ... thoughts to Joe's thoughtful post. ... I also think that, in your example, posting a "No response from vendor ... He even admits that the policy was there, ...
      (alt.smokers.pipes)
    • [ISecAuditors Security Advisories] VTLS.web.gateway cgi is vulnerable to XSS
      ... This vulnerability has been discovered and reported by ... 2006: Initial vendor notification sent. ... No response. ... Fifth vendor contact to ask for planning. ...
      (Bugtraq)
    • Re: its all about timing
      ... researchers to release vulnerability information if the vendor is not ... disclosure histories along with their advisories. ... While the response to the proposal focused almost exclusively on how ...
      (Bugtraq)