Vulnerability Development mailing list archives
Re: Developerstore.com expose critical customer info
From: c c <cesarc56 () yahoo com>
Date: Sat, 12 Jan 2002 08:09:25 -0800 (PST)
Hi. What happens? : 1) I sent a e-mail to microsoft. Date: Wed, 9 Jan 2002 12:24:52 -0800 (PST) From: "c c" <cesarc56 () yahoo com> Subject: Critical Security problem in Developerstore.com To: secure () microsoft com Hi. The site Developerstore.com expose critical customer information, this happen because it's doesn't check user inputs, allowing sql inyection and cross site scripting. Regards. Cesar Cerrudo. 2) They answer (it seems an auto response, i don't know): Date: Wed, 9 Jan 2002 12:50:44 -0800 From: "Microsoft Security Response Center" <secure () microsoft com> To: "c c" <cesarc56 () yahoo com> Cc: "Microsoft Security Response Center" <secure () microsoft com> Hi Cesar, Thank you very much for contacting us and for letting us know about the CSS situation - we really appreciate it! I will let the dev teams know so that they can fix it. Again, thanks for your feedback. Kind regards, secure () microsoft com 3) Next day i check the site and they didn't have fix it, so then i post : Date: Thu, 10 Jan 2002 07:30:57 -0800 (PST) From: "c c" <cesarc56 () yahoo com> Subject: Developerstore.com expose critical customer info To: webappsec () securityfocus com, focus-ms () lists securityfocus com 4)webappsec () securityfocus com publish the post. The focus-ms () lists securityfocus com moderator tell me : Hi, Can you post this to Bugtraq instead? It's a more appropriate forum for this sort of thing. Cheers, Marc Fossi, MCSE i mistake, so i decided post to vuln-dev () securityfocus com 5)Blue Boar held the post, he contacted Microsoft, and they removed the script. They take the entire site down!. Why i did the post?: It was a critical hole. It took me 10 seconds to find it. And it would take 10 or more seconds to fix it. I contacted microsoft and more than 12 hours later they haven't fix it. What i were suposed to did? Wait days, months maybe years until microsoft fix it. And in that time the site will continue exposing customer info. I think that i could get what i want : the site fixed quickly, that was all i wanted!. Maybe some people are more quite when they don't know that this kind of holes exist and they are activily exploited. I think that microsoft or the company responsable never say "we are sorry, it was our mistake, we only want your money and quickly, we haven't time to do that, where do you want to go tomorrow?", instead of that they try to focus the atention in other direccion confusing people. We have to see only the facts and get our own conclusions. It seems that the post cause some undesired efects (Websleuth removed from OWASP, etc.), i'm really sorry it was not my intention. Sorry if you don't understand what i tried to say, english it's not my native language. Regards. Cesar Cerrudo. Parana, Entre Rios. Argentina. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- Developerstore.com expose critical customer info c c (Jan 11)
- <Possible follow-ups>
- RE: Developerstore.com expose critical customer info Blue Boar (Jan 11)
- RE: Developerstore.com expose critical customer info sq (Jan 11)
- Re: Developerstore.com expose critical customer info Blue Boar (Jan 11)
- Re: Developerstore.com expose critical customer info c c (Jan 12)
- Re: Developerstore.com expose critical customer info Jeremiah Grossman (Jan 12)
- Re: Developerstore.com expose critical customer info shawn merdinger (Jan 13)
- RE: Developerstore.com expose critical customer info Mark Curphey (Jan 13)
- Re: Developerstore.com expose critical customer info Jeremiah Grossman (Jan 12)