<<< Date Index >>>     <<< Thread Index >>>

Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS)



Dear DAN MORRILL,

--Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

DM> I got the official notice from SPI Dynamics to day on this issue. I am in no
DM> way slamming people at all, but the interesting response was inability to
DM> reproduce the XAS issue.

SPI  Dynamics  already  published  advisory on this issue and fixed this
vulnerability, at least partially.

Revisions:
V1.0 (July 27, 2005): Internal Release
V1.1 (July 28, 2005): Bulletin published

Full  disclosure  effectiveness is proved  again. Vulnerability known
since April was fixed in 2 days.

DM> Just a curiosity question based on the idea that we are all out there
DM> discovering things, that we will or will not give up to folks depending on
DM> what we discover. Its the inability to reproduce the issue that interests me
DM> the most, and what as a community should we do when no one else can verify
DM> our results? Well out side of providing POC code, that may or may not work.

According to reporter vendor was provided with

1. Problem description
2. PoC code
3. Screenshot
4. Example of the generated report.

You can find it on
http://www.security.nnov.ru/Fnews30.html

Last (unreplied) message sent to vendor was

-=-=-=-=-=-=-= begin quote =-=-=-=-=-=-=-

Sent: Wednesday, April 20, 2005 3:05 AM
To: Sam Shober
Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting 
(XAS)

Inline.

>Opening the scan data you sent on a default install of WebInspect 5.0.196 
>shows how you are able to execute JavaScript in the report view and reload 
>the vulnerability.htm. 

It's ok. This is a task of the PoC.

-=-=-=-=-=-=-=  end  quote =-=-=-=-=-=-=-

As  you  can  see, security company representative was able to reproduce
problem, but failed to understand what is XAS (and probably what is PoC)
and how it affects security related product's security.

I agree with reporter he did everything to make vendor to fix problem.

Should  we  also  educate  support staff of the company on how to handle
security  alerts? This time full disclosure before vendor fix was _only_
solution  and it was quite effective. Now, SPI Dynamics published e-mail
for  security  alerts and probably this e-mail will be monitored by more
qualified  staff  in  future.  Making  benefits  from the faults is best
company  can  do  in  this  case.  Customers  of  SPI  Dynamics can feel
themselves more secure. Isn't it good?

There are many interesting things about vulnerability disclosure. Vendor
coordination  is  not only. Of cause, standard in this area is required,
RFPolicy  is  good, but it has no force. Another problem with disclosure
is information rights. You may like it or not, vulnerability information
has  it's price and this price is high. It's not clear for vulnerability
researcher   how   he  can  use  his  rights  for  this  information and
how  these  rights  affect product vendor and his rights. I feel we will
have many problem with this in future.


-- 
~/ZARAZA
http://www.security.nnov.ru/