lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: keydet89 at yahoo.com (Harlan Carvey) Subject: Vendor casual towards vulnerability found in product > >> Perhaps. What is the real risk of destroying > >> configuration files, if backups are being made? > They restore from backup, someone erases them again, > they restore, someone erases again, they restore... Right, I understand that. However, as a consultant, I've seen places where incremental backups were made several times a day, b/c users had a habit of moving folders off of the server, and then deleting the folder when they were done w/ the files in it. Rather than "train" the users, the admins took all of the work on themselves. > I would like to say that yes, I am none too happy > with the way the vendor has reacted to this. And I > shall explain why. I am responsible for few of the > production sites exposed and vulnerable to this flaw > since they run this product. And there is nothing I > can do to fix them since the flaw is core to the > product. I thought you mentioned something about a module or something in your first post...something the vendor knew about but never bothered to document... > If this is known to anyone outside of the > vendors team, my servers are roadkill. And this > thought doesnt really give me a warm feeling inside. Well, besides the ability to wreak havok, someone has to actually do something. For your servers to be roadkill, someone has to actually launch a properly formatted attack. I know what you're thinking at this point..."if I could figure it out, then surely a malicious person/blackhat could have figured it out already, too". Well...maybe. But who knows? There's a great deal of speculation about that sort of thing happening with all sorts of vulnerabilities, but no actual evidence to support it. > Thanks all for your comments, I think I know what to > do now. Ok...good luck.
Powered by blists - more mailing lists