Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: *MAJOR SECURITY BREACH AT CCBILL**

From: Robert van der Meulen <rvdm () wiretrip org>
Date: Thu, 20 Dec 2001 00:12:50 +0100

Quoting l0rtamus Prime (simon () snosoft com):

      The problem with his web site is a simple perl issue that any average
perl programmer can figure out. Any advice on what I should do?  Should
I post a full disclosure?  
I have tried to contact him, his ISP (verio) and other people but thus
far have yet to speak to anyone reasonable.

I've got very good experience with sending them a polite email, explaining
the issues, and making clear your intentions are good.
If they don't reply, mail again, Cc-ing the ISP/upstream involved.

Give them time, if they don't reply within a _reasonable_ amount of time,
try calling; try making the 'full disclosure' decision the last thing you
fall back on. I'm ofcourse completely in favour of full disclosure, but
the target you're trying to help might have their own ideas about that. If
you can, try to leave that decision up to them.
I personally never had a bad response, or threats/legal stuff thrown at me.

Greets,
        Robert
-- 
                              Linux Generation
   encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key.
      "Invalid element 'rvdm' in content of 'p'." (WAP emulator error)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: