Next Page >>
responsible disclosure
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP,
ASP.NET and PHP.
CodeScan Labs operates with Responsible Disclosure. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor.Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor will not be made publicly available.
--
quite alarmed. The number of Bugs and Design problems we found
were so tremendous that we had problems dealing with the shear
amount of Vendor coordination and notification emails.
Want numbers? Over 4000 emails.
(Where is the ROI for Responsible Disclosure here?)
The problems reach from simple bypasses and Denial of Service
attacks to Code execution; the Impacts reach from code execution
in the DMZ to Code execution in your Internal Network holding
what might be your most precious Knowledge - your entire
It is possible to execute an arbitrary command with root privileges on phion netfence 4.0.x, phion netfence < 4.2.15 and NG Firewall < 5.0.2 boxes with activated external authentication scheme (i.e. Active Directory). An attacker with the knowledge of an admin's username is able to perform arbitrary shell commands during the ssh login procedure on the box. The knowledge of the admin's password is not required.
Proof-of-Concept
---------------------------------------
A proof-of-concept exploit will not be disclosed due to a responsible disclosure agreement with the vendor.
Severity
---------------------------------------
Because of the high impact and the broad range of vulnerable versions, the severity is considered to be critical.
View here: https://www.stevenroddis.com/phpbb-ajax-chatshoutbox-mod-csrf-vulnerability/
Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability
Release Date: 2011-04-30
Product Affected: http://startrekaccess.com/community/viewtopic.php?f=127&t=8675
Responsible Disclosure:
After repeated attempts to get the vendor to fix this flaw, he has told me to "Please stop taking up my time with something this trivial." I have provided a risk assessment, sources on CSRF including OWASP and my implementation on how to fix it.
If after a reasonable attempt to make the vendor realise it is a vulnerability, the vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.
16/03/2009 : Resent
No reply
09/04/2009 : Resending, specigying this is the last attempt at responsible
disclosure.
No reply
13/04/2009 : Resending, specifying this is the last attempt at responsible
disclosure (sic)
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET C#
and PHP
CodeScan Labs operates with Responsible Disclosure where appropriate. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor. Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor may not be made publicly available.
--
Topics may include, but are certainly not limited to the following fields:
- Security Attacks: Malware, A.P.T., SCADA, Mobile Security, Social Engineering,
Russian Cyber Crime, etc.
- Defense: (Post-) (Quantum) Crypto, Responsible Disclosure, Emergency Response,
Warfare in the Virtual Domain, etc.
- Hardware: Hacking, Making, Electronics, Welding, Blacksmithing, gnireenignE
esreveR, Lock Picking, A/V hacking, etc.
[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.
Responsible Disclosure
- ----------------------
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
Patch available, but still not fixed in 5.4.3 (latest)
Timeline:
---------
* 2012 Feb - Discovered in 5.3.8, verified for 5.3.0/5.3.10 and 5.4.0
* 2012 March - Responsible Disclosure via SSD/BeyondSecurity
* 2012 April - Patch available 2012-04-19
* 2012 May/June - No trace of bugfix in svn for 5.3/5.4/trunk although
mentioned in bugref #61755
* 2012 June - No trace of bugfix in svn for 5.3/5.4/trunk, code ...
* 2012 June - public disclosure
[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.
Responsible Disclosure
- ----------------------
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
# exit
k p8ce 0ut,
- dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3
Responsible Disclosure:
++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0
f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
Upgrade to latest development version 1.2.0a1.
VI. VENDOR RESPONSE
It was a little surprise to find out that somebody issued CVE-2008-2276
during our responsible disclosure time-line.
From an internal email with Glenn Henshaw:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2011 Virtual Security Research, LLC. All rights reserved.
-- Vendor information:
HTC has confirmed the existence of this vulnerability and it is working to release a hotfix to solve the issue. The temporary hotfix provided was named "LEO_S01175" but it still discloses the Twitter credentials by using HTTP instead of HTTPS.
We at Taddong honestly believe this finding must be publicly known by the information security community in order to take appropriate countermeasures and mitigate the vulnerable behavior. Therefore, we have tried to coordinate the release of this security advisory together with the vendor, following responsible disclosure principles. This vulnerability is especially relevant considering the extensive number of HTC mobile devices available in the market and the potential impact of the associated attacks.
-- Vulnerability report timeline:
2010-08-21: Taddong tries to report the vulnerability to HTC through the standard channels (web, e-mail...) without success.
2010-08-23: Taddong contacts other security researchers (Thanks Alberto!) previously involved in reporting vulnerabilities to HTC in order to identify a valid contact or notification channel to let HTC know about the issue.
# sinn3r@bt4:~$ ./iMailDecrypt.py admin C8D3D19AA094
# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
# coded by sinn3r - x90.sinner{at}gmail.c0m
# [*] Password = god123
#
# Responsible Disclosure Timeline:
# 1/21/2010 - IMail vendor contacted
# 1/26/2010 - Got a reply from the vendor for more vulnerability
# clarfication. No fix yet.
# 2/02/2010 - Received another reply from the vendor: Issues logged for
# additional research. No plans for immediate changes.
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Symantec Product Security/Vulnerability Management Team
Symantec takes the security of our products seriously as a responsible
disclosure company. You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any
response deemed necessary.
Fortinet customers who subscribe to Fortinet¡¯s intrusion prevention (IPS) service should be protected against this buffer overflow
vulnerability. Fortinet¡¯s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions
such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application
and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet
to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats.
These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure
guidelines to ensure optimum protection during a threat's lifecycle.
References:
===========
FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-13.html
v7.6 prior to Hotfix 24
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
TZ> time-to-time. Those are contractual agreements. Since you published
TZ> incomplete data previously, I see no reason to engage for such a test."
TZ> "You ask for cooperation, but yet
TZ> you only have leveled insinuations and have attempted to turn what has
TZ> taken place into something else. Hardly following responsible disclosure
TZ> as you have listed it."
TZ> "I welcome your thoughts and your input as there is always something to
TZ> reflect upon and to learn about. But this is a two way street, and I ask
TZ> you to learn from us that how we deploy our products is not what you
Updated software can be downloaded from:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
Solutions:
==========
The FortiGuard Global Security Research Team released the signature "RealNetworks.RealPlayer.IVR.File.Processing.Code.Execution"
Fortinet customers who subscribe to Fortinet¡¯s intrusion prevention (IPS) service should be protected against these code execute vulnerabilities. Fortinet¡¯s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
Acknowledgement:
================
Haifei Li of Fortinet's FortiGuard Global Security Research Team
That said, bugs exist whether we find them or not, every software has
them, and if the author had never reported them that in no way implies
they were not already known and/or being used for subversive means with
the potential intent to cause harm.
I guess I'm oldsk00l enough to like responsible disclosure, but also
anti-authoritarian enough (who's making the rules? why are they god?)
to believe this is not black and white. Scare away those who disclose
(regardless of method), and you're left with undisclosed vulnerabilities
the bad guys with the most to gain ($$$ to invest in teams of
hacke^H^H^Hengineers, not just script kiddies) still know about and can
Patches can be downloaded from Cisco's online support portal at:
http://www.cisco.com
NGS Secure is going to withhold details of this flaw for three months. Full details will be published on 01/03/2011. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
1. Advisory Information
------------------------------------------------------------------------------------------------------------------------
Title: Multiple security issues in Cute News and UTF-8 Cute News
Advisory ID: MORNINGSTAR-2009-02
Advisory URL: http://www.morningstarsecurity.com/advisories/
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
During last year's Microsoft Ninjitsu training at Black Hat Vegas, I
brought it up to my class and we all concurred that voodoo was afoot -
even some Microsoft guys (who shall remain nameless) thought so and told
me to STFU and to contact MSRC before talking about it anymore since it
looked like Outlook was actually crossing user context borders.
True to "responsible disclosure," I called upon the skillz of Jason
Geffner, a "reverse engineer" I work with at NGSSoftware. Jason is one
of those irritatingly smart people that can do anything, so I knew he'd
help me out (Actually, we've got lots of people like that at NGS ;). As
it turns out, Outlook is doing nothing close to what I feared.
Basically, the second instance sees that another Outlook window is
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2012 Virtual Security Research, LLC. All rights reserved.
----------------------------------------
Symantec Product Security/Vulnerability Management Team
Symantec takes the security of our products seriously as a responsible
disclosure company. You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any
response deemed necessary.
Solutions:
• Use the solution provided by Microsoft (Microsoft Security Advisory 954157).
• FortiGuard Labs released a signature "MS.Windows.Indeo.Codec.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.
Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
• Microsoft Security Advisory: http://www.microsoft.com/technet/security/advisory/954157.MSpx"
• Microsoft Knowledge Base Article: http://support.microsoft.com/kb/954157
• CVE ID: CVE-2009-4210
Cheers,
Roberto
Michal Zalewski wrote:
>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
>>
>
Next Page>>
|
