Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Thu, 22 May 2003 19:00:06 -0400
12/31/2002 Issue disclosed to iDEFENSE 04/16/2003 E-mail sent to info () iisprotect com 04/16/2003 Response received from David Fearn of iisPROTECT 04/16/2003 Patch provided to iDEFENSE for verification 05/22/2003 Coordinated public disclosure
EMail sent and patch provided the same day.
Yes, iisPROTECT's team was fast with the response, but think about it -- they make no other product to my knowledge, and the flaw effectively rendered their product useless.
I hope iDefense had a few good reasons to hold on to this for over 100 days before even reporting it to the vendor.
Two responses here: 1) I sure hope the vendor had an *excellent reason* for peddling a useless security solution to a large number of people, advertising that it "protects web servers" without providing checks for basic HTTP URL encoding. 2) I sure hope that you never run a company without multi-fold growth in a matter of months that deals with miles of backlog, and have to eat your words when your customers ask about "good reasons to hold on to this". Given the (relatively) low use of iisPROTECT (I hadn't learned of its existance until today), and several far more critical vulnerabilities in the works than the bypass of Basic authentication (which is known to be weak anyway), iDEFENSE chose to hold onto it. So some admin who secured his crucial trade secrets with Base64 encoding loses a penny. Who cares. I know there are more critical vulnerabilities for iDEFENSE to handle because I have reported multiple such issues myself. P.S. - Dave, Sunil: Sorry about the hint to the kiddies. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT raj var (May 24)
- <Possible follow-ups>
- Re: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT mattmurphy () kc rr com (May 24)
- iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT iDEFENSE Labs (May 24)
- Re: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT Steven M. Christey (May 24)