Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS)
Dear DAN MORRILL,
--Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:
DM> I got the official notice from SPI Dynamics to day on this issue. I am in no
DM> way slamming people at all, but the interesting response was inability to
DM> reproduce the XAS issue.
SPI Dynamics already published advisory on this issue and fixed this
vulnerability, at least partially.
Revisions:
V1.0 (July 27, 2005): Internal Release
V1.1 (July 28, 2005): Bulletin published
Full disclosure effectiveness is proved again. Vulnerability known
since April was fixed in 2 days.
DM> Just a curiosity question based on the idea that we are all out there
DM> discovering things, that we will or will not give up to folks depending on
DM> what we discover. Its the inability to reproduce the issue that interests me
DM> the most, and what as a community should we do when no one else can verify
DM> our results? Well out side of providing POC code, that may or may not work.
According to reporter vendor was provided with
1. Problem description
2. PoC code
3. Screenshot
4. Example of the generated report.
You can find it on
http://www.security.nnov.ru/Fnews30.html
Last (unreplied) message sent to vendor was
-=-=-=-=-=-=-= begin quote =-=-=-=-=-=-=-
Sent: Wednesday, April 20, 2005 3:05 AM
To: Sam Shober
Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting
(XAS)
Inline.
>Opening the scan data you sent on a default install of WebInspect 5.0.196
>shows how you are able to execute JavaScript in the report view and reload
>the vulnerability.htm.
It's ok. This is a task of the PoC.
-=-=-=-=-=-=-= end quote =-=-=-=-=-=-=-
As you can see, security company representative was able to reproduce
problem, but failed to understand what is XAS (and probably what is PoC)
and how it affects security related product's security.
I agree with reporter he did everything to make vendor to fix problem.
Should we also educate support staff of the company on how to handle
security alerts? This time full disclosure before vendor fix was _only_
solution and it was quite effective. Now, SPI Dynamics published e-mail
for security alerts and probably this e-mail will be monitored by more
qualified staff in future. Making benefits from the faults is best
company can do in this case. Customers of SPI Dynamics can feel
themselves more secure. Isn't it good?
There are many interesting things about vulnerability disclosure. Vendor
coordination is not only. Of cause, standard in this area is required,
RFPolicy is good, but it has no force. Another problem with disclosure
is information rights. You may like it or not, vulnerability information
has it's price and this price is high. It's not clear for vulnerability
researcher how he can use his rights for this information and
how these rights affect product vendor and his rights. I feel we will
have many problem with this in future.
--
~/ZARAZA
http://www.security.nnov.ru/