Next Page >>
responsible disclosure
[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.
Responsible Disclosure
- ----------------------
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
View here: https://www.stevenroddis.com/phpbb-ajax-chatshoutbox-mod-csrf-vulnerability/
Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability
Release Date: 2011-04-30
Product Affected: http://startrekaccess.com/community/viewtopic.php?f=127&t=8675
Responsible Disclosure:
After repeated attempts to get the vendor to fix this flaw, he has told me to "Please stop taking up my time with something this trivial." I have provided a risk assessment, sources on CSRF including OWASP and my implementation on how to fix it.
If after a reasonable attempt to make the vendor realise it is a vulnerability, the vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.
16/03/2009 : Resent
No reply
09/04/2009 : Resending, specigying this is the last attempt at responsible
disclosure.
No reply
13/04/2009 : Resending, specifying this is the last attempt at responsible
disclosure (sic)
# exit
k p8ce 0ut,
- dj j4zzy 3fn3t & th3 phr3zh pr1nc3 0f b3llk0r3
Responsible Disclosure:
++w3 h4v3 p3r$0n4lly br0k3n th1$ expl01t 1n a w4y th4t 1z m0r3-th4n-s1mpl3 t0
f1x (1 br0k3n l1n3) w1th th3 1nph0rm4t10n pr0v1d3d 1n th3 k0MM3ntz++
* [DeC] DO NOT DISTRIBUTE PRIVATE !!! [DeC] *
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP, ASP.NET C#
and PHP
CodeScan Labs operates with Responsible Disclosure where appropriate. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor. Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor may not be made publicly available.
--
[1] Articles about new vulnerabilities should mention possible
fixes or mitigations.
Responsible Disclosure
- ----------------------
In case of submitted vulnerabilities SektionEins GmbH will contact
the security team of the software vendor after the submission deadline
and share the vulnerability information with them. Along with the
vulnerability information SektionEins will provide the name of the
quite alarmed. The number of Bugs and Design problems we found
were so tremendous that we had problems dealing with the shear
amount of Vendor coordination and notification emails.
Want numbers? Over 4000 emails.
(Where is the ROI for Responsible Disclosure here?)
The problems reach from simple bypasses and Denial of Service
attacks to Code execution; the Impacts reach from code execution
in the DMZ to Code execution in your Internal Network holding
what might be your most precious Knowledge - your entire
It is possible to execute an arbitrary command with root privileges on phion netfence 4.0.x, phion netfence < 4.2.15 and NG Firewall < 5.0.2 boxes with activated external authentication scheme (i.e. Active Directory). An attacker with the knowledge of an admin's username is able to perform arbitrary shell commands during the ssh login procedure on the box. The knowledge of the admin's password is not required.
Proof-of-Concept
---------------------------------------
A proof-of-concept exploit will not be disclosed due to a responsible disclosure agreement with the vendor.
Severity
---------------------------------------
Because of the high impact and the broad range of vulnerable versions, the severity is considered to be critical.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities. The CodeScan product is currently available for ASP,
ASP.NET and PHP.
CodeScan Labs operates with Responsible Disclosure. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor.Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor will not be made publicly available.
--
-- Vendor information:
HTC has confirmed the existence of this vulnerability and it is working to release a hotfix to solve the issue. The temporary hotfix provided was named "LEO_S01175" but it still discloses the Twitter credentials by using HTTP instead of HTTPS.
We at Taddong honestly believe this finding must be publicly known by the information security community in order to take appropriate countermeasures and mitigate the vulnerable behavior. Therefore, we have tried to coordinate the release of this security advisory together with the vendor, following responsible disclosure principles. This vulnerability is especially relevant considering the extensive number of HTC mobile devices available in the market and the potential impact of the associated attacks.
-- Vulnerability report timeline:
2010-08-21: Taddong tries to report the vulnerability to HTC through the standard channels (web, e-mail...) without success.
2010-08-23: Taddong contacts other security researchers (Thanks Alberto!) previously involved in reporting vulnerabilities to HTC in order to identify a valid contact or notification channel to let HTC know about the issue.
DriveArmor 3.0.0 or greater
An updated version of the software has been released to address these vulnerabilities:
http://esupport.trendmicro.com/solution/en-us/1060043.aspx
NGS Secure is going to withhold details of these flaws for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
FFmpeg < 0.7.8
This issue is addressed in v 0.7.8 and v0.8.7, which can be downloaded at:
http://ffmpeg.org/download.html#release_0.7
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible
disclosure and promptly contacted the vendor after
discovering the issues. The vendor was contacted on
the 6th November 2009 and a reply was received on the
same day. The vendor released security patches on
the 11th February 2010.
Versions affected: version 6_2u7
This has been addresses as part of oracle April update:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=89f903b3d5ec38c9c5d90fba7e626fa0eda61a32
NGS Secure is going to withhold details of this flaw for three months.
This three month window will allow users the time needed to apply the
patch before the details are released to the general public. This
reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
Oracle has created a fix for this vulnerability which
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on June 8,
2009, and a response was received on the June 11. A
fix was
released on June 15, 2009.
v7.6 prior to Hotfix 24
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
Solutions:
• Use the solution provided by Microsoft (Microsoft Security Advisory 954157).
• FortiGuard Labs released a signature "MS.Windows.Indeo.Codec.Memory.Corruption", which covers this specific vulnerability.
FortiGuard Labs continues to monitor attacks against this vulnerability.
Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
• Microsoft Security Advisory: http://www.microsoft.com/technet/security/advisory/954157.MSpx"
• Microsoft Knowledge Base Article: http://support.microsoft.com/kb/954157
• CVE ID: CVE-2009-4210
Apple has released a patch that addresses the issue. The announcement of this patch can be found here:
http://support.apple.com/kb/HT4581
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
Updated software can be downloaded from:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
Solutions:
==========
The FortiGuard Global Security Research Team released the signature "RealNetworks.RealPlayer.IVR.File.Processing.Code.Execution"
Fortinet customers who subscribe to Fortinet¡¯s intrusion prevention (IPS) service should be protected against these code execute vulnerabilities. Fortinet¡¯s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
Acknowledgement:
================
Haifei Li of Fortinet's FortiGuard Global Security Research Team
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2011 Virtual Security Research, LLC. All rights reserved.
Solutions:
==========
Use the solution provided by Microsoft (MS09-019).
The FortiGuard Global Security Research Team released a signature "MS.IE.DHTML.Function.Remote.Code.Execution", which covers this specific vulnerability.
Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
===========
FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-22.html
Microsoft Bulletin: http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
Vendor contact timeline:
------------------------
2009-03-03: Asking support@ and security@level-one.de for a security contact,
attaching the SEC Consult responsible disclosure document.
I didn't find any reference to the security@ email address, it
seems that it is not being used.
http://global.level1.com/contactus.php
http://www.level-one.de/impressum.php
2009-03-10: Asking again, adding info@digital-data.de to the email list
* Users should apply the solution provided by Adobe(APSB10-26 http://www.adobe.com/support/security/bulletins/apsb10-26.html ).
* FortiGuard Labs released a signature to protect against this vulnerability.
Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
Adobe Security Bulletin: http://www.adobe.com/support/security/bulletins/apsb10-26.html
CVE ID: CVE-2010-3637 (FG-VD-10-020)
11/24/2010 - Reply from vendor informing me that my 'software manipulation' was illegal
11/24/2010 - Response to vendor regarding their accusation of illegal actions on my part
11/24/2010 - Reply from vendor stating that by releasing this information, I am committing a crime
11/24/2010 - Response to vendor that their software is CC-licensed and that their accusations are unfounded
11/24/2010 - Rebuttal from vendor again affirming I was breaking the law by disclosing this vulnerability
11/24/2010 - Reply to vendor again stating my intent to help the company and provide responsible disclosure
11/24/2010 - Response from vendor stating they would no longer respond and explained their stance on fixing this issue
11/24/2010 - Final reply to vendor stating that I was happy to work with them on a delayed disclosure if desired
12/15/2010 - Public disclosure
Apple has released a patches that addresses the issue. The announcement of the patches can be found here:
http://support.apple.com/kb/DL1357
http://support.apple.com/kb/HT4581
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
NGS Secure Research
http://www.ngssecure.com
________________________________
time-to-time. Those are contractual agreements. Since you published
incomplete data previously, I see no reason to engage for such a test."
"You ask for cooperation, but yet
you only have leveled insinuations and have attempted to turn what has
taken place into something else. Hardly following responsible disclosure
as you have listed it."
"I welcome your thoughts and your input as there is always something to
reflect upon and to learn about. But this is a two way street, and I ask
you to learn from us that how we deploy our products is not what you
You are responsible for what you do with this information. No one else accepts liability for what you do.
Credit: Discovered by Marvin Simkin.
About the author:
Marvin Simkin was one of several security researchers to independently discover "reflected" (type 1) XSS and participate in responsible disclosure in 1999. At the time of discovery, available statistics suggested that at least 95% of all web sites on the Internet were vulnerable.
-------------------------------------
Marvin Simkin
Manager of Information Technology
School of Earth and Space Exploration
Next Page>>
|
