Full Disclosure mailing list archives
Re[2]: Correction to latest Colsaire advisories
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 14 Sep 2004 17:50:15 +0400
Dear advisories, --Tuesday, September 14, 2004, 2:03:31 PM, you wrote to full-disclosure () lists netsys com: a> It's always good to be correct(ness). a> At the time the research was conducted (August 2003) we obviously a> looked around for as much information as possible prior to a> commencing. There were a number of individual MIME issues around, but a> most were single-product vulnerabilities. If the 3APA3A white paper a> you refer to was in existence at this time, it was not one we a> encountered. http://www.google.com/search?q=content+filtering+bypass It was very hard _not_ to find this whitepaper (and few more issues, BTW, I need to update it :-) . a> It has also been recently updated to include the latest a> information, so I can not comment on its previous content. This is content of initial post (February, 2002): http://www.securityfocus.com/archive/1/256619 http://www.securiteam.com/securitynews/5DP0I206AY.html I teach first year students to Google search. Do you want to hire me? a> The Corsaire research project produced test cases for around 200 working a> attack vectors, that when passed through the top 10 content products a> produced over 800 individual vulnerabilities (needless to point out that a> there are a lot more than 10 products in this arena). And lot more than 200 attack vectors. This is a really serious work for serious company. Of cause, poor, busy and tired 3APA3A can not do it alone. 80% of his attempts to contact vendors with the cry to test their products failed. Your work is really great, but: I see no results of your work: a list of vulnerable products. 200 x 10 table is 3 screens of data. Why not to publish it instead of ~10 uninformative advisories? What is impact of this advisories except self-advertising? I have some experience in this area, but I can't identify exact problems from provided information except issues I already know. How this information helps vendors to secure their products? How can you prevent same bugs from appearing in future products if you do not disclosure details? Should they all buy your services to get more detailed information? -- ~/ZARAZA Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ. (Òâåí) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Correction to latest Colsaire advisories 3APA3A (Sep 13)
- Re: Correction to latest Colsaire advisories Andreas Marx (Sep 15)
- <Possible follow-ups>
- Re: Correction to latest Colsaire advisories advisories (Sep 14)
- Re[2]: Correction to latest Colsaire advisories 3APA3A (Sep 14)
- Re[3]: Correction to latest Colsaire advisories advisories (Sep 14)
- Re[4]: Correction to latest Colsaire advisories 3APA3A (Sep 14)