Full Disclosure mailing list archives

Re: On the vulnerabilities of web services

From: "The Security Community" <thesecuritycommunity () gmail com>
Date: Tue, 24 Jul 2007 06:30:23 -0400

On 7/24/07, Fabio Pietrosanti (naif) <lists () infosecurity ch> wrote:

I have no time to write a detailed post on the issues related with the
guys that are recently releasing bugs of web services.

I would like someone analyze the implications, differences in terms of
community advantages, people risks, technology enhancements related with
the disclosure of vulnerabilities of web services (misc websites of
railways, internet providers, public agencies, search engines and
webmails) VS the disclosure of vulnerabilities in standalone pieces of
software.

I don't like the public disclosure of XSSs and SQL Injections (and stuff
like that) on third party web sites, i don't consider it useful for
anyone, too risky for the 'researcher' and too risky for the third party
websites.

Only in July there was a storm of fucking websites vulnerabilities
announcements:

- http://seclists.org/fulldisclosure/2007/Jul/0457.html TRENITALIA.COM
- http://seclists.org/fulldisclosure/2007/Jul/0460.html STATCOUNTER.COM
- http://seclists.org/fulldisclosure/2007/Jul/0437.html ACTUAL TESTS
- http://seclists.org/fulldisclosure/2007/Jul/0296.html ORKUT
- http://seclists.org/fulldisclosure/2007/Jul/0187.html Wachovia Bank
- http://seclists.org/fulldisclosure/2007/Jul/0035.html blinzzard.com
- http://seclists.org/fulldisclosure/2007/Jul/0036.html WORLDOFWARCRAFT.COM

Hey guys, do you feel yourself cooler than before, now?


Feel free to edit at will for your own definition...

http://en.wikipedia.org/wiki/Full_disclosure

"Full disclosure requires that full details of a security
vulnerability are disclosed to the public, including details of the
vulnerability and how to detect and exploit it. The theory behind full
disclosure is that releasing vulnerability information immediately
results in quicker fixes and better security. Fixes are produced
faster because vendors and authors are forced to respond in order to
save face. Security is improved because the window of exposure, the
amount of time the vulnerability is open to attack, is reduced.

"In the realm of computer vulnerabilities, disclosure is often
achieved via mailing lists such as Bugtraq and full disclosure by
other means."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

On the vulnerabilities of web services Fabio Pietrosanti (naif) (Jul 24)
- Re: On the vulnerabilities of web services The Security Community (Jul 24)
  - Re: On the vulnerabilities of web services Fabio Pietrosanti (naif) (Jul 24)