Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Informing Companies about security vulnerabilities..

From: bugtraq () cgisecurity net
Date: Thu, 5 Oct 2006 13:59:39 -0400 (EDT)
Sound like you need to consider your response. I'll let the lawyers correct me, but AFAIK unless the thing you are 
pointing them at contravenes some laws, merely posting something with a cross site reference to a site does not 
constitute prohibited behaviour anywhere I know of, and there are many legitimate contexts to be doing this in (as 
well as the unitended ones) and intentional reasons why some sites explicitly allow this (for better or for worse).


If that is what he did then yes. However if you read the email you'd know he did in fact test it (in his words), more 
below.


Maybe you need to consult your lawyer :-).


Maybe you need to learn to follow the conversation before making blasted comments.



Quoting the original email
"Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to 
approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so 
the class chose a major newspaper's website for the discussion. 
"

He is stating that he normally goes to public websites (or two) during the class. So far this isn't sounding to good.



"Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept finding another, after another and on and on. 
Over 600 instances of XXS, over 200 SQL Injection - this was bad. After a while it started to get boring there was so 
many....
"

Here he states 'with this particular website we just kept finding another...'. If he found something
this implies testing. He even mentions XSS and SQL Injection along with rough number estimates.



"So I drafted a letter to the editor as well as several other prominent people at the newspaper. It detailed my finding 
and recommended some possible mitigation strategies. "

He then states how he contacted this particular website to let them know he found vulns in their site. I hope this 
walkthrough clears up the confusion.




cheers,
--dr



No, cheers to you dr 

- Robert
http://www.cgisecurity.com/ Application Security News
http://www.cgisecurity.com/index.rss



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: