Full Disclosure mailing list archives
Re: University of Central Florida Multiple LFI
From: Chris M <chris () nullroute net>
Date: Sat, 19 Feb 2011 18:02:08 +0000
Agreed - by not taking further steps following the complete negligence of the institution to protect the security of their assets (and thereby placing students & staff at risk) there must be some further incentive to bring this to their attention. If anything they should have regular infrastructure meetings where items like this should be at the top of the agenda. Its unfortunate that it has to come to this with many institutions - I have had many similar experiences. On Sat, Feb 19, 2011 at 5:54 PM, Hack Talk <hacktalkblog () gmail com> wrote:
Weev, I actually know many of the "techrangers" who are UCF employed students which are in charge of maintaining websites and have spoken to them personally about these and other vulnerabilities many times in the past and they have yet to patch them. In addition to that I have gone so far as to finding one of the developer's website (http://www.stevenmonetti.com/) and not only emailing him, but adding him to my gTalk list (the invitation to which he has yet to accept after about a month) and after looking at his resume left him a text message and a voicemail all with no contact back. I am flat out when reporting vulnerabilities and let the affected party know from day one that I follow the RFP Responsible Disclosure Policy and if I don't hear back in 5 days I no longer need to work with them. On days 3 and 5 I always email back if they haven't gotten back in contact with me and once again reiterate the disclosure policy. At this point they must not care enough if I was doing that every 3 days for quite some time. If they don't care about their own security then something must happen to make them care. Luis Santana On Sat, Feb 19, 2011 at 12:49 PM, Eyeballing Weev < eyeballing.weev () gmail com> wrote:Shawn, "Hack Talk" would rather fire off 5 emails than pick up a phone, make a phone call and call someone from the WHOIS information since by his own admission he's a Florida resident who lives near UCF or maybe he's worried about law enforcement after all ;-) On 02/19/2011 12:46 PM, Hack Talk wrote:Hey Shawn, I typically follow the Rain Forest Puppy Responsible Disclosure Policy which I'm sure many people have read. I even extended the contact time to 2 weeks since Universities are quite busy places. During those 2 weeks I personally emailed them back 5 times and did not get a single response back. This is not the first time the University has neglected to respond to vulnerabilities affecting their sites and as such I decided that enough was enough and that by publicly disclosing these vulnerabilities they would be forced to patch their code. I've worked with many Universities in the past to patch there vulnerabilities and they have responded typically within 12 hours of me sending my initial email alerting them to the issue. Being a .edu does not exempt you from hackers wanting into your system and it does not mean you can get away with having gaping holes in security for months without patching them. Full Disclosure as a methodology is about forcing people to fix their holes which is exactly what I was hoping would happen to UCF. Thanks for doing your best to extinguish the flamewar that was starting:D.Luis Santana_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- I’m a hot-wired, heat seeking, warm-hearted cool customer, voice activated and bio-degradable. I interface with my database, my database is in cyberspace, so I’m interactive, I’m hyperactive and from time to time I’m radioactive.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: University of Central Florida Multiple LFI, (continued)
- Re: University of Central Florida Multiple LFI Madhur Ahuja (Feb 19)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Chris M (Feb 19)
- Re: University of Central Florida Multiple LFI Caspian Kilkelly (Feb 20)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 20)
- Re: University of Central Florida Multiple LFI Chris M (Feb 20)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Benji (Feb 21)
- Re: University of Central Florida Multiple LFI Nikhil Mittal (Feb 21)
- Re: University of Central Florida Multiple LFI / Dirty Indian rant Eyeballing Weev (Feb 21)
- Re: University of Central Florida Multiple LFI / Dirty Indian rant Cal Leeming [Simplicity Media Ltd] (Feb 21)
- Re: University of Central Florida Multiple LFI / Dirty Indian rant huj huj huj (Feb 21)