Full Disclosure mailing list archives
Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability
From: Cory Donnelly <lists2 () onryou com>
Date: Wed, 02 Jun 2004 08:24:30 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Zimmerman wrote:
Such vendors/developers are doing a their users and the community a disservice. Proper public disclosure of vulnerabilities requires very little effort on their part; there is no good reason to conceal information this way. There is no need to contact every downstream vendor directly; they monitor the usual channels.
- From the shortsighted developer's perspective there are *plenty* of very compelling reasons to discreetly fix vulnerabilities. A developer may be wary of losing his/her job should management learn of the gaff. A developer's pride may prevent him/her from notifying the appropriate folks in his/her organization. A developer may not realize the seriousness of a vulnerability (or may fix it accidentally). Management may pressure the developer to keep the changelog positive, using the argument that all documentation associated with their software must go through the PR department. Obviously the world would be a better place if these disclosures were made (and made consistently), but there are plenty of good reasons (depending on perspective) to keep quiet about bug fixes. Regardless, we've strayed off-topic -- Roman's original point about how backporting security patches to debian-stable only works when debian-stable backporters are aware of vulnerabilities is absolutely correct. take care, Cory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAvcb+okBdAgPGOhURAsr6AKC9Tii2d3A1YxE+YEH49UULnTjywQCfdYnF 9ZpToiNm++VzwFH8IvLNBDw= =/P6/ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Lupe Christoph (Jun 01)
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Roman Medina (Jun 01)
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Matt Zimmerman (Jun 01)
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Cory Donnelly (Jun 02)
- Re: Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Roman Medina (Jun 02)
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Matt Zimmerman (Jun 01)
- Re: RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability Roman Medina (Jun 01)