| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <30957204.20050728122909@SECURITY.NNOV.RU> Date: Thu Jul 28 09:29:17 2005 From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Subject: SPIDynamics WebInspect Cross-ApplicationScripting (XAS) Dear DAN MORRILL, --Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@...URITY.NNOV.RU: DM> Good Morning, DM> I got the official notice from SPI Dynamics to day on this issue. I am in no DM> way slamming people at all, but the interesting response was inability to DM> reproduce the XAS issue. I was provided with additional information in response to your e-mail DM> At what point and how much support should the discoverer give to the DM> company? Usually when I have a bug report it is a full set of instructions DM> on exactly how to reproduce the issue, from OS, software running in DM> background, what I was clicking or typing at the time. DM> My question is that if we are submitting bug reports and POC code, just how DM> much information do we give to the vendor, especially if they say that they DM> can not reproduce it? If the vendor can not reproduce it, how much time and DM> support should the discoverer give them? -=-=-=-=-=-=- Sent: Wednesday, April 20, 2005 3:05 AM To: Sam Shober Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting (XAS) Inline. >Opening the scan data you sent on a default install of WebInspect 5.0.196 >shows how you are able to execute JavaScript in the report view and reload >the vulnerability.htm. It's ok. This is a task of the PoC. -=-=-=-=-=-=- Attached are PoCs and screenshots sent to vendor. I agree with reporter this information is 100% enough to demonstrate vulnerability. Should reporter also educate technical staff of the security product vendor, if he doesn't understand what is PoC, what is cross site scripting and what is impact it makes on security related product's security? -- ~/ZARAZA http://www.security.nnov.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: wwwroot.zip Type: application/x-zip-compressed Size: 498 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050728/57c63aec/wwwroot-0001.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: aha.PNG Type: image/png Size: 27059 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050728/57c63aec/aha-0001.png
Powered by blists - more mailing lists