Re: Developerstore.com expose critical customer info

[c c <cesarc56 () yahoo com>]

Hi.

What happens? :

1) I sent a e-mail to microsoft.

Date: Wed, 9 Jan 2002 12:24:52 -0800 (PST) 
From: "c c" <cesarc56 () yahoo com>  
Subject: Critical Security problem in
Developerstore.com 
To: secure () microsoft com 
 
Hi.
The site Developerstore.com expose critical customer
information, this happen because it's doesn't check
user inputs, allowing sql inyection and cross site
scripting.

Regards.
Cesar Cerrudo.

2) They answer (it seems an auto response, i don't
know):

Date: Wed, 9 Jan 2002 12:50:44 -0800
From: "Microsoft Security Response Center"
<secure () microsoft com>
To: "c c" <cesarc56 () yahoo com>
Cc: "Microsoft Security Response Center"
<secure () microsoft com>

Hi Cesar,

Thank you very much for contacting us and for letting
us know about the
CSS situation - we really appreciate it!  I will let
the dev teams know
so that they can fix it.

Again, thanks for your feedback.
Kind regards,
secure () microsoft com

3) Next day i check the site and they didn't have fix
it, so then i post :

Date: Thu, 10 Jan 2002 07:30:57 -0800 (PST) 
From: "c c" <cesarc56 () yahoo com> 
Subject: Developerstore.com expose critical customer
info 
To: webappsec () securityfocus com,
focus-ms () lists securityfocus com 

4)webappsec () securityfocus com publish the post.

The focus-ms () lists securityfocus com moderator tell me
:
Hi,

Can you post this to Bugtraq instead?  It's a more
appropriate forum for
this sort of thing.

Cheers,

Marc Fossi, MCSE

i mistake, so i decided post to
vuln-dev () securityfocus com


5)Blue Boar held the post, he contacted Microsoft, and
they removed the script. They take the entire site
down!.


Why i did the post?: 
 It was a critical hole. It took me 10 seconds to find
it. And it would take 10 or more seconds to fix it.
 I contacted microsoft and more than 12 hours later
they haven't fix it. What i were suposed to did? Wait
days, months maybe years until microsoft fix it. And
in that time the site will continue exposing customer
info. I think that i could get what i want : the site
fixed quickly, that was all i wanted!. Maybe some
people are more quite when they don't know that this
kind of holes exist and they are activily exploited. I
think that microsoft or the company responsable never
say "we are sorry, it was our mistake, we only want
your money and quickly, we haven't time to do that,
where do you want to go tomorrow?", instead of that
they try to focus the atention in other direccion
confusing people. We have to see only the facts and
get our own conclusions.

It seems that the post cause some undesired efects
(Websleuth removed from OWASP, etc.), i'm really sorry
it was not my intention.

Sorry if you don't understand what i tried to say,
english it's not my native language.
Regards.

Cesar Cerrudo.
Parana, Entre Rios.
Argentina.



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/