lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1304590245.20070907015047@Zoller.lu>
Date: Fri, 7 Sep 2007 01:50:47 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [WEB SECURITY] Acunetix has free XSS scanner

Posted here since reply was not appreciated on the Websecurity list.

http://www.disenchant.ch/blog/abuse-of-the-owasp-brand-by-acunetix

> Myself I also saw some abuses by some companies
Abuses on the Internets from the Acunetix evil doers.

>and also after I’ve talked to them, they removed the things which
>weren’t OK
So your policing the internet for compliance? Ok, you have contacted
other vendors? Good.

Then I ask myself if you you also have contacted Acunetix and asked
them about it?

>>From the blog comments I see that in fact you have not, so I ask myself why
do you have talked to "other vendors" about it while you choose a blog post
an maliling list post for Acunetix. Are they kind of evil ? Do they
need to be taught a lessong


>My conclusion on this story is, that Acunetix has broken the law
The law? IF they have broken anything at all they would have broken
a license, not the law. If law making is done by posting something
to a website, hell I'll just create one right now.

>so they have to remove the OWASP parts out of their scanner
What OWASP Part is in their scanner ? The name ? Isn't the rest just
vulnerabilies ?

>(and eventually
>pay something to the OWASP because of the license abuse)
Since when is using a name a license abuse ? (Again supposing all they
used was the name)

>or they’ll have
>to put their web vulnerability scanner also under the same license as the
>OWASP Top 10 which will be AFAIK the GPL.

No it's _not_ the GPL, you even say it on your own blog, it's the
LGPL.
You have not understood the *GPL license at all. it is just not true to
say that all derivative works or all works embedding *GPL software will
automatically become *GPL.

Not to mention USING the word "OWASP TOP 10" is surely not "derived
work"

Why do you think OWASP is LGPL and not GPL ?
[1]
The main difference between the LGPL and GPL is an exception provision
that permits the use of LGPL'ed libraries to be "combine[d] or link[ed]"
with works that use the library and distribution of the aforementioned
work under any terms, provided that these terms permit modification of
the work for the customer's own use and reverse engineering for debugging.
Simply put, this implies that one is allowed to use LGPL'ed libraries
and link them with other open-source software - even not licensed
under the LGPL.

[1]http://www.objectweb.org/phorum/read.php?f=18&i=6&t=6

Actually, these licenses say : "if identifiable sections of [derivative work]
are not derived from the [original software] and can be reasonably considered
independent and separate works in themselves, then the [*GPL], and its terms,
do not apply to those sections when [one] distributes them as separate works".

I am sorry, but checking for XSS or SQL injections is clearly not
derived work from OWASP, the only problem here is that they use the
term OWASP and that's pretty much it.
There is nothing wrong with testing for TOP 10 OWASP Vulnerabilties,
they are not OWASP inventions nor are they being patented/trademarked
or otherwise protected.  They refer to industry named vulnerabilities
nothing else.

Would it be fair if acunetix is/became a OWASP member ? Surely. Is it
required, IMHO no it isn't.


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ