lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.1004221252090.27678@yossarian.aniota.com>
Date: Thu, 22 Apr 2010 14:11:53 -0700 (PDT)
From: terry white <twhite@...ota.com>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in NovaBoard

... ciao:

: on "4-21-2010" "MustLive" writ:

    and about which, i find me confused.

: you can saw the letter which was posted last week by one developer of 
: one such vulnerable web application ---
 
    from my reading of that exchange, i "thought" the author a 'system 
administrator', rather THAN, the programmer of the flawed application.  
from my experience, a sysadmin seldom enjoys the freedom programmers 
enjoy.

 
: it's only way to draw attention of web developers to these issues.

: Timeline:
: 17.03.2010 - found vulnerabilities.
: 02.04.2010 - disclosed at my site.
: 03.04.2010 - informed developers.

    that would be correct, if an only if, captcha limitations were 
unknown to this community at 'this' point in time.  that, is clearly, not 
the case.
 
    if memory serves, you took exception to another's inability to act 
quickly in response to your discovery.  yet, there is NO chance of that 
happening given your 'notification' policy.  further, i do not recall 
mention of a workaround, or mitigation path.
 

    "attention of web developers to these issues"
 
    i've been watching this list prior to the "code-red" epidemic.  
cisco 675 routers puked on code-red.  i was the first to post a 
workaround, when i mentioned the problem i was having the device.  given 
the objective you've outlined, i have to wonder what kind of attemtion 
you seek.  as a given:
 
    1.  your dicsoveries are like those of IE; big whoop.
    2.  you offer no solutions, or methods to mitigate the problem.
    3.  you offer < "ZERO" warning to those that need it most.
    4.  it looks like you're trying to drive traffic to your domain.
 
    do you really think this a way to be taken seriously in this 
community ...
    
 
    
 




     

-- 
... i'm a man, but i can change,
    if i have to , i guess ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ