Vendor casual towards vulnerability found in product

[<stevenr () mastek com>]

Hi

I have found a vulnerability (my first :) ) and need some advice needed from
the more experienced members on this list...
I am not naming the vendor, product or giving exploit code for now, till I
get feedback from all, so pls bear with me...

In my research on an commercial app server, I have come across a (in my
opinion) serious vulnerability in the product. Basically, an attacker can
destroy any configuration files like httpd.conf on the server only by typing
out a crafted url. There is no way of stopping this type of URL being
blocked, and no way of tracing which user has exploited the vulnerability.

When I informed this to the vendor, their support replied that they have
known about this internally from 1 yr+ (this is a 2 yr old product) and are
in the process of fixing it in a "future release" (this despite having
released several patches in 1 yr). Also they have not made public the
vulnerability. They got back saying that we should have installed another
component (which is builtin, but usually not selected during installation
unless its needed & its not a security component) in order to avoid the
exploit above. But at the same time they do not provide documentation saying
so. And it didnt make sense since the two were independent components
anyway. When asked about that, they pointed me to docs which said that if I
choose to install the other component I shall have better security, and that
I should have been able to deduce that not choosing the component would
result in less secure servers....grrrrr....

I have the following queries

1. Would an exploit like this be said to be severe?  
2. Is the vendor right in their approach to this issue?
3. How do I make public the vulnerability? (Vendor has given permission for
the same) 
4. Ok, I'll rather ask... *should* I make public details of this
vulnerability? (Since I know of sites using this app server, and they may be
taken down if the exploit goes out)

Your feedback would help.
 
Thanks
Steven Rebello




MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This 
e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in 
error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html