Full Disclosure mailing list archives
Vendor casual towards vulnerability found in product
From: <stevenr () mastek com>
Date: Wed, 26 May 2004 18:30:59 +0530
Hi I have found a vulnerability (my first :) ) and need some advice needed from the more experienced members on this list... I am not naming the vendor, product or giving exploit code for now, till I get feedback from all, so pls bear with me... In my research on an commercial app server, I have come across a (in my opinion) serious vulnerability in the product. Basically, an attacker can destroy any configuration files like httpd.conf on the server only by typing out a crafted url. There is no way of stopping this type of URL being blocked, and no way of tracing which user has exploited the vulnerability. When I informed this to the vendor, their support replied that they have known about this internally from 1 yr+ (this is a 2 yr old product) and are in the process of fixing it in a "future release" (this despite having released several patches in 1 yr). Also they have not made public the vulnerability. They got back saying that we should have installed another component (which is builtin, but usually not selected during installation unless its needed & its not a security component) in order to avoid the exploit above. But at the same time they do not provide documentation saying so. And it didnt make sense since the two were independent components anyway. When asked about that, they pointed me to docs which said that if I choose to install the other component I shall have better security, and that I should have been able to deduce that not choosing the component would result in less secure servers....grrrrr.... I have the following queries 1. Would an exploit like this be said to be severe? 2. Is the vendor right in their approach to this issue? 3. How do I make public the vulnerability? (Vendor has given permission for the same) 4. Ok, I'll rather ask... *should* I make public details of this vulnerability? (Since I know of sites using this app server, and they may be taken down if the exploit goes out) Your feedback would help. Thanks Steven Rebello MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vendor casual towards vulnerability found in product stevenr (May 26)
- Re: Vendor casual towards vulnerability found in product Gadi Evron (May 26)
- Re: Vendor casual towards vulnerability found in product Harlan Carvey (May 26)
- Re: Vendor casual towards vulnerability found in product morning_wood (May 26)
- Re: Vendor casual towards vulnerability found in product George Capehart (May 26)
- RE: Vendor casual towards vulnerability found in product Aditya, ALD [Aditya Lalit Deshmukh] (May 26)