Full Disclosure mailing list archives
RE: Vendor casual towards vulnerability found in product
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 26 May 2004 09:48:02 -0700 (PDT)
Perhaps. What is the real risk of destroying configuration files, if backups are being made?They restore from backup, someone erases them again, they restore, someone erases again, they restore...
Right, I understand that. However, as a consultant, I've seen places where incremental backups were made several times a day, b/c users had a habit of moving folders off of the server, and then deleting the folder when they were done w/ the files in it. Rather than "train" the users, the admins took all of the work on themselves.
I would like to say that yes, I am none too happy with the way the vendor has reacted to this. And I shall explain why. I am responsible for few of the production sites exposed and vulnerable to this flaw since they run this product. And there is nothing I can do to fix them since the flaw is core to the product.
I thought you mentioned something about a module or something in your first post...something the vendor knew about but never bothered to document...
If this is known to anyone outside of the vendors team, my servers are roadkill. And this thought doesnt really give me a warm feeling inside.
Well, besides the ability to wreak havok, someone has to actually do something. For your servers to be roadkill, someone has to actually launch a properly formatted attack. I know what you're thinking at this point..."if I could figure it out, then surely a malicious person/blackhat could have figured it out already, too". Well...maybe. But who knows? There's a great deal of speculation about that sort of thing happening with all sorts of vulnerabilities, but no actual evidence to support it.
Thanks all for your comments, I think I know what to do now.
Ok...good luck. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Vendor casual towards vulnerability found in product stevenr (May 26)
- RE: Vendor casual towards vulnerability found in product Harlan Carvey (May 26)