Re: Siebel Vulnerabilities

From: security curmudgeon (jericho@attrition.org)
Date: Sat Aug 06 2005 - 04:09:43 EDT

• Next message: Maarten Hartsuijker: "Re: How to get a reverse Shell / VNC from a writable directory on a remote web server."
• Previous message: Tonie: "RE: AD password Auditing"
• In reply to: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Next in thread: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Reply: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

: Don't take vulnerabiltity databases as the holy grail. There are _many_
: products out there whose vulnerabilities do not get press attention or
: coverage in vulnerability databases. Almost any complex software systems
: (such as Tibco, Tivoli or HP Openview) do have a number of security
: issues. However, few people are going to have the opportunity to proper
: audit those as only a few corporations run them and people auditing them
: are typically under NDA agreements. Unless those that audit produce a
: flashy whitepaper ('Security in XXXX') you will never find their
: security issues. Of course, some vendors do have a clue and produces
: proper security guides for top-notch products that might be usable as an
: audit checklist reference. However, these guides might not be publicly
: available either.

For the most part you are right, but your tone implies they simply don't
care, and that is simply false. It doesn't take a flashy whitepaper for
several of the VDBs to add an entry. It just takes *one* public source to
cite. Some of them will check changelogs, product knowledge bases, vendor
mail lists, usenet and more places.

If these high end semi proprietary vendors won't publish such information
in any form, then VDBs won't have the info. As such, I doubt anyone else
except clients (possibly under NDA) and employees would have the
information as well. The only way this will change is if folks start
posting this information or sharing it with the VDBs provided it does not
break any confidentiality agreements.

: Trust security vulnerability databases and sources for the common stuff
: (i.e. wide-spread applications such as web servers or operating
: systems), don't trust them to be accurate when dealing with uncommon
: stuff only fortune 100 companies use.

Have you actually looked at the VDBs lately? This comment makes me think
you haven't.

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Maarten Hartsuijker: "Re: How to get a reverse Shell / VNC from a writable directory on a remote web server."
• Previous message: Tonie: "RE: AD password Auditing"
• In reply to: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Next in thread: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Reply: Javier Fernandez-Sanguino: "Re: Siebel Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:42 EDT