| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 May 2007 23:59:35 +0100 From: Tim Brown <timb@...-dimension.org.uk> To: 3APA3A <3APA3A@...urity.nnov.ru> Cc: news@...uriteam.com, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Medium security hole affecting DSL-G624T On Thursday 03 May 2007 23:19:55 3APA3A wrote: > Not exactly, read first link carefully: > > Tested on D-Link DSL-G624T > Version: Firmware Version : V3.00B01T01.YA-C.20060616 > > Discovered by: > > Jose Ramon Palanco: jose.palanco(at)eazel(dot).es Fair enough I stand corrected but it's been there since 1.something, so either way it's not new. I shall be more careful to read responses in future :). To categorically state what I mentioned in the original advisory, "I do not make any claim to having discovered the directory traversal first, I simply want the bug fixed". > Jose mentions both directory traversal and 3 examples of crossite > scripting. Crossite scripting examples are different from yours though > and require POST request. Your CSS is easier to exploit. Exactly. Although SF is now attributing BID 23802 (my XSS) to Jose as well :) > In fact, at least Russian D-Link support is very responsive to any bug > report, but it seems like only way to get a response is to post a > problem on their forum. So it seems, and there lies the problem, the UK forum at least does not function in either Firefox or Konqueror. I like vendors who respond by email and I like vendors who respond[1] quickly even more :). [1] such as our alternate discussion -- Tim Brown <mailto:timb@...-dimension.org.uk> <http://www.nth-dimension.org.uk/>
Powered by blists - more mailing lists