Re: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

> > 12/31/2002  Issue disclosed to iDEFENSE
> > 04/16/2003  E-mail sent to info () iisprotect com
> > 04/16/2003  Response received from David Fearn of iisPROTECT
> > 04/16/2003  Patch provided to iDEFENSE for verification
> > 05/22/2003  Coordinated public disclosure

> EMail sent and patch provided the same day. 

Yes, iisPROTECT's team was fast with the response, but think about it --
they make no other product to my knowledge, and the flaw effectively
rendered their product useless.

> I hope iDefense had a few good reasons to hold on to this for over 100
> days before even reporting it to the vendor.

Two responses here:

1) I sure hope the vendor had an *excellent reason* for peddling a useless
security solution to a large number of people, advertising that it
"protects web servers" without providing checks for basic HTTP URL encoding.

2) I sure hope that you never run a company without multi-fold growth in a
matter of months that deals with miles of backlog, and have to eat your
words when your customers ask about "good reasons to hold on to this".

Given the (relatively) low use of iisPROTECT (I hadn't learned of its
existance until today), and several far more critical vulnerabilities in
the works than the bypass of Basic authentication (which is known to be
weak anyway), iDEFENSE chose to hold onto it.  So some admin who secured
his crucial trade secrets with Base64 encoding loses a penny.  Who cares. 
I know there are more critical vulnerabilities for iDEFENSE to handle
because I have reported multiple such issues myself.

P.S. - Dave, Sunil: Sorry about the hint to the kiddies.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html