RE: Spoofing .NET ViewState (Side Question)

From: Meidinger Chris (chris.meidinger@badenIT.de)
Date: Fri Jan 13 2006 - 11:13:14 EST

• Next message: Eli Fulkerson: "new tools: linux pid exhaustion scanner, tcp/ip handshake scanner"
• Previous message: Ofer Shezaf: "RE: Correlating an IP address with a phone number"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Keith,

Rain Forest Puppy wrote a guideline a while ago to follow when
disclosing vulnerabilities. As far as I know, it is still considered
current and reasonable.

http://www.wiretrip.net/rfp/policy.html

Cheers,

Chris

> ----- Original Message -----
> From: "Keith Hanson" <seraphimrhapsody@gmail.com>
> To: <pen-test@securityfocus.com>
> Sent: Friday, January 13, 2006 6:36 AM
> Subject: Spoofing .NET ViewState
>
> > Also, as a side question, how would I go about releasing an
> exploit to
> > BugTraq with Proof-Of-Concept code and explanation of the
> issue? I've
> > contacted the vendor, and even gave them the issue and
> code. It's been
> > about 3 months ago, and I got no response after I gave them the
> > information for a whole month. Two weeks after submission, I asked
> > about it, and got no reply until two weeks later, I told
> them that I'd
> > like to go ahead and publicly disclose the issue since there was no
> > response from the company. I promptly got a response explaining that
> > he thought I had been contacted (Not sure if this is all that true,
> > given the lack of any response at all to my previous
> inquiries). What
> > do you guys suggest I do given your previous experiences?
> >
> > Thanks,
> > --Keith

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Eli Fulkerson: "new tools: linux pid exhaustion scanner, tcp/ip handshake scanner"
• Previous message: Ofer Shezaf: "RE: Correlating an IP address with a phone number"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT