lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Vendor casual towards vulnerability found in     product

 
> >> Perhaps.  What is the real risk of destroying
> >> configuration files, if backups are being made?
> They restore from backup, someone erases them again,
> they restore, someone erases again, they restore...

Right, I understand that.  However, as a consultant,
I've seen places where incremental backups were made
several times a day, b/c users had a habit of moving
folders off of the server, and then deleting the
folder when they were done w/ the files in it.  Rather
than "train" the users, the admins took all of the
work on themselves.

> I would like to say that yes, I am none too happy
> with the way the vendor has reacted to this. And I
> shall explain why. I am responsible for few of the
> production sites exposed and vulnerable to this flaw
> since they run this product. And there is nothing I
> can do to fix them since the flaw is core to the
> product. 

I thought you mentioned something about a module or
something in your first post...something the vendor
knew about but never bothered to document...

> If this is known to anyone outside of the
> vendors team, my servers are roadkill. And this
> thought doesnt really give me a warm feeling inside.

Well, besides the ability to wreak havok, someone has
to actually do something.  For your servers to be
roadkill, someone has to actually launch a properly
formatted attack.

I know what you're thinking at this point..."if I
could figure it out, then surely a malicious
person/blackhat could have figured it out already,
too".  Well...maybe.  But who knows?  There's a great
deal of speculation about that sort of thing happening
with all sorts of vulnerabilities, but no actual
evidence to support it.
 
> Thanks all for your comments, I think I know what to
> do now.

Ok...good luck.


Powered by blists - more mailing lists