Full Disclosure mailing list archives

Re[2]: Correction to latest Colsaire advisories


From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 14 Sep 2004 17:50:15 +0400

Dear advisories,

--Tuesday, September 14, 2004, 2:03:31 PM, you wrote to full-disclosure () lists netsys com:


a> It's always good to be correct(ness).

a> At  the  time  the  research was conducted (August 2003) we obviously
a> looked   around   for  as  much  information  as  possible  prior  to
a> commencing. There were a number of individual MIME issues around, but
a> most  were  single-product vulnerabilities. If the 3APA3A white paper
a> you  refer  to  was  in  existence  at  this  time, it was not one we
a> encountered.

http://www.google.com/search?q=content+filtering+bypass

It  was  very  hard  _not_ to find this whitepaper (and few more issues,
BTW, I need to update it :-) .

a> It has also been recently updated to include the latest
a> information, so I can not comment on its previous content.

This is content of initial post (February, 2002):

http://www.securityfocus.com/archive/1/256619
http://www.securiteam.com/securitynews/5DP0I206AY.html

I teach first year students to Google search. Do you want to hire me?

a> The Corsaire research project produced test cases for around 200 working
a> attack vectors, that when passed through the top 10 content products
a> produced over 800 individual vulnerabilities (needless to point out that
a> there are a lot more than 10 products in this arena).

And lot more than 200 attack vectors.

This  is a really serious work for serious company. Of cause, poor, busy
and  tired  3APA3A  can  not do it alone. 80% of his attempts to contact
vendors  with the cry to test their products failed. Your work is really
great,  but:  I  see  no  results  of  your  work:  a list of vulnerable
products.

200  x  10  table is 3 screens of data. Why not to publish it instead of
~10  uninformative  advisories? What is impact of this advisories except
self-advertising?  I  have  some  experience  in  this area, but I can't
identify  exact  problems  from  provided  information  except  issues I
already  know.  How  this  information  helps  vendors  to  secure their
products?  How  can  you  prevent  same  bugs  from  appearing in future
products  if  you  do  not  disclosure details? Should they all buy your
services to get more detailed information?

-- 
~/ZARAZA
Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ. (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: