Full Disclosure mailing list archives
RE: Vendor casual towards vulnerability found in product
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Thu, 27 May 2004 09:15:37 +0530
1. Would an exploit like this be said to be severe?
yes i assume from your email that the url would have to recofig the server from the scratch then not serious but if any file can be deleted then it is serious
2. Is the vendor right in their approach to this issue?
no, the vendor should release a full advisory about this and at a minimum release the patch for this
3. How do I make public the vulnerability? (Vendor has given permission for the same)
google around the rain forest puppy's disclosure policy for this, it is really good for this
4. Ok, I'll rather ask... *should* I make public details of this vulnerability? (Since I know of sites using this app server, and they may be taken down if the exploit goes out)
don't make it public without giving all the people affected a chance to protect their system, however you may release something like a one line description of this and *not* give details to anyone except the vendor -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vendor casual towards vulnerability found in product stevenr (May 26)
- Re: Vendor casual towards vulnerability found in product Gadi Evron (May 26)
- Re: Vendor casual towards vulnerability found in product Harlan Carvey (May 26)
- Re: Vendor casual towards vulnerability found in product morning_wood (May 26)
- Re: Vendor casual towards vulnerability found in product George Capehart (May 26)
- RE: Vendor casual towards vulnerability found in product Aditya, ALD [Aditya Lalit Deshmukh] (May 26)