RE: Developerstore.com expose critical customer info

From: Blue Boar (BlueBoar@thievco.com)
Date: 01/11/02


Date: Fri, 11 Jan 2002 11:51:46 -0800
From: Blue Boar <BlueBoar@thievco.com>
To: vuln-dev@securityfocus.com


> http://developerstore.com/devstore/productSearch.asp?searchText=
> |')%20union%20all%20select%201,name%20from%20sysobjects%20where%20
> type='U'--

You'll notice that this doesn't work any more. I did work just fine
when the note was sent to vuln-dev. I purposely held this post
while I contacted Microsoft, and they removed the script.

You're welcome to cry censorship, limited disclosure, hypocrisy, etc...
The posts won't be let through to the list unless someone has something
really useful to say.

This is in line with my policy for the list, as stated in administrivia
notes. In most cases, I will not allow a post that contains info on
how to nail a unique site. This is not the same as a client hole,
or a service that many people run, or a CSS problem that user
education can fix. No one could have (legitimately) fixed that
hole except the webmaster for that site.

If you have info on that site, and I allowed the post immediately, then
you would have been screwed. I might have info there, I really can't
remember. Doesn't have anything to do with my decision, though.

I post the information now, because I think that despite the fact that
the problem is now gone, it is important to have a track record, so
that you can be informed about the security of a site you might
do business with. So, now you know, and no one but the poster, myself,
and whoever else he told or figured it out on their own had a chance to
exploit it.

I will do this again in the future should it come up. About the only
time I won't hold the post is if the poster has admitted to breaking
the law, i.e. if a site were defaced, and the attacker posts to the
list with details of how they did it, that post is going right through.
(Because if you give me the info, and I keep it to myself, then you've
made me an accessory to the crime.)

                                        BB