lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <63340-2200354222306979@M2W033.mail2web.com>
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT

>>
>>12/31/2002  Issue disclosed to iDEFENSE
>>04/16/2003  E-mail sent to info@...protect.com
>>04/16/2003  Response received from David Fearn of iisPROTECT
>>04/16/2003  Patch provided to iDEFENSE for verification
>>05/22/2003  Coordinated public disclosure
>>

>EMail sent and patch provided the same day. 

Yes, iisPROTECT's team was fast with the response, but think about it --
they make no other product to my knowledge, and the flaw effectively
rendered their product useless.

>I hope iDefense had a few good reasons to hold on to this for over 100
>days before even reporting it to the vendor.

Two responses here:

1) I sure hope the vendor had an *excellent reason* for peddling a useless
security solution to a large number of people, advertising that it
"protects web servers" without providing checks for basic HTTP URL encoding.

2) I sure hope that you never run a company without multi-fold growth in a
matter of months that deals with miles of backlog, and have to eat your
words when your customers ask about "good reasons to hold on to this".

Given the (relatively) low use of iisPROTECT (I hadn't learned of its
existance until today), and several far more critical vulnerabilities in
the works than the bypass of Basic authentication (which is known to be
weak anyway), iDEFENSE chose to hold onto it.  So some admin who secured
his crucial trade secrets with Base64 encoding loses a penny.  Who cares. 
I know there are more critical vulnerabilities for iDEFENSE to handle
because I have reported multiple such issues myself.

P.S. - Dave, Sunil: Sorry about the hint to the kiddies.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ