Full Disclosure mailing list archives
Re: Two biggest Indian University Websites are vulnerable
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 17 Jul 2010 11:33:46 -0400
On Sat, Jul 17, 2010 at 8:03 AM, Sandeep Sengupta <sandeep.sengupta () gmail com> wrote:
1. we spoke to Univ system admin over the phone yesterday. They are aware of the problem.
The best I can tell from Shreyas link (if it is applicable), disclosing to the University does not relieve or indemnify you from provisions of 43 (G). Perhaps there's a section which allows public disclosure after private disclosure?
Now up to them how much time they will take to rectify it. We hope they at least have the wisdom to bring the site down till it is debugged. They have the wisest men working for them, after all.
Its unfortunate that the University did not jump high enough when you clapped your hands. I suppose a 12-hour is better than a 0-day. Even Ormandy gave Microsoft about a man-week for the help center vulnerability (debatable, but somewhere around the truth).
2. In reply to other email from Benji, discovery consists of what everyone has seen & thinking what nobody has thought. I had the option of keeping quiet, but that would have kept the issue lingering & hundreds of students would have suffered.
You forgot to mention the other options at your disposal.
Univ officials need to wake up fast.
Oh, I see - a political statement - you're grinding an axe. You really should not claim altruisms ("I did it for the students"). Perhaps it was also a bit of advertisement for iSolution Software Systems Pvt Ltd, which is clearly not altruistic.
3. The matter has been published by press today morning. I have put on full disclosure more than 12 hours later.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Shreyas Zare (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Benji (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Benji (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Valdis . Kletnieks (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Jeffrey Walton (Jul 17)
- Message not available
- Re: Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 21)
- Re: Two biggest Indian University Websites are vulnerable Shreyas Zare (Jul 17)