lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 31 Jul 2006 23:48:29 +0300
From: "Valery Marchuk" <tecklord@...ocom.cv.ua>
To: <bugtraq@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: Re: Do world's famous companies take care of
	their security?

----- Original Message ----- 
From: "Steven M. Christey" <coley@...re.org>
To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.grok.org.uk>
Sent: Monday, July 31, 2006 10:43 PM
Subject: [Full-disclosure] Re: Do world's famous companies take care oftheir 
security?


> Vulnerability databases (CVE included) historically have NOT recorded
> site-specific XSS and other issues like sensitive data disclosure.
> The primary reason is that most vuln DBs are focused on issues in
> software that a system administrator would be directly responsible
> for.  Software services, which is basically what you're talking about
> with PayPal, Google, and the like, are not under direct control of the
> sysadmin - plus, the vendor merely needs to flip a switch (i.e. patch
> the bug) and the problem is instantly fixed for all customers.  The
> lines between "site-specific" and "distributable" software are
> becoming more blurry however, e.g. with hosted solutions.


And they should not! It`s not thier job.

>>XSS bugs are easy to discover and easy to fix, so what's the problem?
>
> This is a common misconception.  The basic XSS issues are easy to
> discover and fix, and there are still far too many of them in
> software.  That's partially because with XSS, every single
> input/output is suspect, and you simply don't get that large of an
> attack surface with other vuln types.  Over the years, XSS has
> demonstrated a rich set of attack variants, such as the recent 8-bit
> XSS bypass discussed by Kurt Huwig
> (http://seclists.org/lists/bugtraq/2006/Jun/0549.html)
>
> - Steve

There are many hardening tools (mod_security, iislockdown, IDS/IPS systems 
etc) which definitely CAN protect a vulnerable Web application and the 
victim from different kinds of attacks, including XSS. But there are no such 
tools installed, or they are not properly configured for most web sites. And 
I`m asking WHY? Is it the same reason as PayPal ignores XSS (or possibly 
other) flaws?



Valery

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ