lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 2 Jun 2006 03:44:17 -0000
From: mikes@...a.com.au
To: bugtraq@...urityfocus.com
Subject: Re: Jiwa Financials - Reporting allows execution of arbitrary
 reports as SQL user with full permissions.


Secunia security advisory categorises it as "less critical" :
http://secunia.com/advisories/20342/

I'm not going to argue with experts - our categorisation of the risk
level stays as it is.

Original report (which has been edited) claimed it was a remote exploit
- this is false, and seems to have only been included in the report for
added sensationalism.

There is nothing sensational here.

The only vulnerability is that an authenticated user may be able to run
a Crystal Report which could possibly reveal sensitive information,
should they have the skills to construct such a report.

Only information at risk is the information contained within the Jiwa
database, nothing else - no other SQL database, no files on the
filesystem.

Bug # 4186 in our system addresses this report redirection
vulnerability.

As of 5pm, Thursday June 1st, 2006 a patch for this is available for customers and dealers from our website, www.jiwa.com.au.

Password encryption is a todo feature logged way before this was
reported.  No promise was made.  My exact words were :

"...I don't like to comment on un-released products, as changes are
sometimes withdrawn before release, which can result in disappointment.
 However, I feel some information on where we are heading may do
something to at least partially reassure you that we are making changes
to the security within the product..."

I then went on to cover a number of topics, including password
encryption, and provided a URL to our bug tracking database for Robert
to see all we were doing in the software.

Does a company which does not care provide someone like Robert with a
URL to their internal bug tracking database ?

Robert, I strongly suggest you remain factual in your reports in
future.  We will not tolerate vexatious complaints or threats (care for
me to quote some of your emails to me, here in a public forum ?).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ