Next Page >>
Time line
received or sent messages and even modify them. The response from the
vendor did not indicate that there is a concrete plan to resolve this
issue in the future.
Vendor contact timeline:
------------------------
2011-09-14: Initially contacted vendor
2011-09-14: Contact established to security team and sent advisory.
Asked for feedback and patch timeline.
2011-09-23: No response from vendor. Asked for feedback and patch
Fix Information
***************
Update to newest version.
Timeline:
***********
April 30th 2009: Contacted Vendor
April 30th 2009: Vendor reaction
April 30th 2009: Vendor commits fix
May 28th 2009: Full Disclosure
Novell has a planned release of iManager 2.7.4 in August 2010; this
release should fix these issues. The Novell team notifies they will
provide patches for the current vulnerable versions with the 2.7.3
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
1. For [CVE-2010-1929 | 40480], establish a Web Application
Firewall rule for limiting the length of the parameters
'EnteredClassID' and 'NewClassName' in POST requests to the URI
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
My specific question is did you contact the admin of this particular
site ahead of time with this information. Based on your timeline you
say you found it, you disclosed this issue on your site, then informed
developers. Then posting here 7 days afterwards seems a bit of a short
window to give an admin time to do anything.
I'm pretty sure I have the same issue on my site but given that we're
1. PHP on Linux (Ubuntu 8.10)
=============================
PHP Version 5.2.6-2ubuntu4.3
Timeline:
14:50 - started the attack
14:51 : web server is no longer responsive.
load average: 102.02, 30.68, 10.68
14:52 : web server is not responsive.
load average: 129.95, 49.29, 18.05
As I received a lot of feedback on this bug, I thought I'd update you. After not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to "coordinate"
If your read the Timeline till the end, the story has a nice swing.., Drama, insults,
everything. You could make a soap opera out of it. And you don't even have all the mails.
What happened during this "coordination" even surprised myself. I am used to discussions,
I am used to stupid answers. However what happened here bears no description.
TZ> As I received a lot of feedback on this bug, I thought I'd update you. After not replying
TZ> to my notifications and subsequent forced partial disclosure, IBM stated
TZ> officially on their website that they where not affected and to my surprise
TZ> IBM got in contact immediately after disclosure to "coordinate"
TZ> If your read the Timeline till the end, the story has a nice swing.., Drama, insults,
TZ> everything. You could make a soap opera out of it. And you don't even have all the mails.
TZ> What happened during this "coordination" even surprised myself. I am used to discussions,
TZ> I am used to stupid answers. However what happened here bears no description.
TZ>> As I received a lot of feedback on this bug, I thought I'd update you. After not replying
TZ>> to my notifications and subsequent forced partial disclosure, IBM stated
TZ>> officially on their website that they where not affected and to my surprise
TZ>> IBM got in contact immediately after disclosure to "coordinate"
TZ>> If your read the Timeline till the end, the story has a nice swing.., Drama, insults,
TZ>> everything. You could make a soap opera out of it. And you don't even have all the mails.
TZ>> What happened during this "coordination" even surprised myself. I am used to discussions,
TZ>> I am used to stupid answers. However what happened here bears no description.
$mes = $_POST["fechames"];
$anio = $_POST["fechaanio"];
$correo = $_POST["correo"];
$bio = $_POST["bio"];
$gravatar = $_POST["gravatar"];
$timeline = $_POST["timeline"];
$country = $_POST["country"];
$state = $_POST["state"];
$sex = $_POST["sex"];
$show = $_POST["showing"];
. EXCEL.exe version 10.0.6854
. EXCEL.exe version 10.0.6856
. EXCEL.exe version 10.0.6860
9. *Report Timeline*
. 2010-04-16:
Initial notification to the vendor. Draft advisory and proof-of-concept
files sent to MSRC. Publication date set for May 10, 2010.
Symantec Management Platform 7.x
https://kb.altiris.com/display/1n/articleDirect/index.asp?aid=49389
Disclosure Timeline (YYYY/MM/DD):
=================================
2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.10.01) to Vendor
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-----------------
"This means that in case a customer receives such a specially crafted
* HTML that is embedded in e-mail messages
* HTML that is delivered via instant messaging applications
WebEx Upgrade Timeline
+---------------------
Upgrades from WBS 23 versions to WBS 26 are expected to be complete
by the end of September 2008.
print '[-] Must specify a filename. Remember to change the pop pop ret
address! :)'
else:
createMaliciousFile(argv[1])
*Report Timeline*
2007-09-13: Email to IBM AIX security requesting security contact
information for Lotus Notes
2007-09-14: Reply from IBM AIX security team with contact information of
the IBM Lotus Notes security team
2007-09-17: Email to IBM Lotus Notes security notifying Core’s intent to
6. *Vendor Information, Solutions and Workarounds*
Regarding the vulnerability issue in 'SearchSolution' page
[CVE-2011-1510], the SDP team has identified this vulnerability
[2011-05-16] and it was fixed in SDP 8012, June 2011. ManageEngine did
not provide technical information, workaround nor a clear timeline for
fixes regarding [CVE-2011-1509]. Please, contact vendor for further
information and patches.
7. *Credits*
The contest includes two games: a backdoor hiding and a backdoor finding
contest which are played simultaneously. The contest will be played in
two rounds: a qualification round that starts before the conference and
ends during the conference, and a second (smaller and shorter) round
during the conference. Each round is a multi-player game, which is
played in two stages. The timeline is included below.
Prizes will be announced shortly. We will give prizes for all those that
get to the qualification round and special prizes for the winners of
each contest.
Timeline:
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
-----------------------------
Pardon me, but you disclosed it at your site before you informed the
developers?
I don't even know what Dunia soccer is but how about you give vendors a
Cc: <bugtraq@securityfocus.com>
Sent: Thursday, April 08, 2010 10:05 PM
Subject: Re: Vulnerabilities in Dunia Soccer
> Timeline:
> 17.03.2010 - found vulnerabilities.
> 30.03.2010 - disclosed at my site.
> 31.03.2010 - informed developers.
> -----------------------------
>
Reference:
1)
http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/
2) http://www.adobe.com/support/security/bulletins/apsb08-10.html
Time Line
Discovered: 16 January 2008
Reported: 16 January 2008
Fixed: 5 March 2008
Patch Release: 11 March 2008
Microsoft because the bug had been patched prior to RTM. Upon further
investigation, the vendor determined that the proof-of-concept provided
by Core was actually exploiting a different bug than the one originally
reported and therefore it should be considered a separate security
issue. The URLMON sniffing vulnerability refers to the variant
discovered in the CORE-2008-0826 time line. When loading a local file
Internet Explorer's HTML rendering engine [7] will only check its MIME
type to see if it is a positive match on the files it can handle. For
unknown types that are treated as HTML because they've been referred to
by a redirection, content type determination will default to 'text/html'
in absence of a type explicitly set by the content source. In the case
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulnerability/
========
Time Line
========
Discovered: 8 November 2007
Reported: 8 November 2007
Fixed: 21 November 2007
Patch Release: 21 November 2007
Update : After the reaction from avast, it is now clear that all versions
and products are affected, however there is no plan to patch, the
patch will come or will not come - sometime in the future.
You are encouraged to read the time line and draw your own conclusions.
Desktop Protection
* avast! 4 Professional (impact low, reason real-time protection)
* avast! 4 Home Edition (impact low, reason real-time protection)
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - Timeline corrected.
- --------------------
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Luxology Modo 401 .LXO Integer Overflow
Website: http://www.protekresearchlab.com
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code
#####################################################################################
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code
#####################################################################################
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
> Have you checked the newest aka (also known as) latest version which is
> actually: 1.7.3 ?
No, I didn't and there was a reason for it. All these 7 advisories were made
in 2009 (as it clear from Timeline which I made for all advisories). Only
now I sent them to Bugtraq. And that time XAMPP 1.7.1 was the latest
version.
Besides, in 2009 developer of XAMPP answered me (with thanks) only at one of
seven letters and he didn't mention about fixing any of holes which I found.
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
Next Page>>
|
