Re: Informing Companies about security vulnerabilities..

From: bugtraq@cgisecurity.net
Date: Thu Oct 05 2006 - 13:59:39 EDT

• Next message: Paul Melson: "RE: Layer 3 and Firewall"
• Previous message: Elias-Bachrach, Ari (721): "RE: bittorrent == botnet"
• Next in thread: Dragos Ruiu: "Re: Informing Companies about security vulnerabilities.."
• Reply: Dragos Ruiu: "Re: Informing Companies about security vulnerabilities.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>> Sound like you need to consider your response. I'll let the lawyers correct me, but AFAIK unless the thing you are pointing them at contravenes some laws, merely posting something with a cross site reference to a site does not constitute prohibited behaviour anywhere I know of, and there are many legitimate contexts to be doing this in (as well as the unitended ones) and intentional reasons why some sites explicitly allow this (for better or for worse).

If that is what he did then yes. However if you read the email you'd know he did in fact test it (in his words), more below.

>> Maybe you need to consult your lawyer :-).

Maybe you need to learn to follow the conversation before making blasted comments.

Quoting the original email
"Normally, I go to a live public website or two during the class and we talk about common tests to perform and how to approach certain types of websites. A common subject is how to handle large website with tons of dymanic content - so the class chose a major newspaper's website for the discussion.
"

He is stating that he normally goes to public websites (or two) during the class. So far this isn't sounding to good.

"Usually when we do this we only find a few simple things (XXS for
example) - no big deal right. With this particular website we just kept finding another, after another and on and on. Over 600 instances of XXS, over 200 SQL Injection - this was bad. After a while it started to get boring there was so many....
"

Here he states 'with this particular website we just kept finding another...'. If he found something
this implies testing. He even mentions XSS and SQL Injection along with rough number estimates.

"So I drafted a letter to the editor as well as several other prominent people at the newspaper. It detailed my finding and recommended some possible mitigation strategies. "

He then states how he contacted this particular website to let them know he found vulns in their site. I hope this walkthrough clears up the confusion.

>> cheers,
>> --dr

No, cheers to you dr

- Robert
http://www.cgisecurity.com/ Application Security News
http://www.cgisecurity.com/index.rss

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Paul Melson: "RE: Layer 3 and Firewall"
• Previous message: Elias-Bachrach, Ari (721): "RE: bittorrent == botnet"
• Next in thread: Dragos Ruiu: "Re: Informing Companies about security vulnerabilities.."
• Reply: Dragos Ruiu: "Re: Informing Companies about security vulnerabilities.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:07 EDT