| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 May 2012 00:21:28 +0200
From: Ferenc Kovacs <tyra3l@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: About IBM
did you used the MustLive handle in your reports?
maybe they have some kind of mail filtering in place...
On Sun, May 27, 2012 at 10:51 PM, MustLive <mustlive@...security.com.ua>wrote:
> Hello guys!
>
> I have a question for you about IBM. Does anybody has successfully
> contacted
> them, when they officially answered and fixed vulnerabilities in their
> software, since Leandro Meiners (since 2005)?
>
> When I've informed them many times in 2006-2008 concerning multiple
> vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored
> and not fixed or some of them first ignored and later hiddenly fixed. But
> it
> were their sites and I was hoping that concerning their software products
> they have different behavior.
>
> But when last week, during 16.05-20.05, I've sent five advisories to IBM
> concerning multiple vulnerabilities, which I have found (in May during
> pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they
> just ignored. So they've demonstrated the same behavior, as concerning
> their web sites. And there are a lot of Cross-Site Scripting, Information
> Leakage, Brute Force, Insufficient Authentication, Cross-Site Request
> Forgery, Redirector and HTTP Response Splitting vulnerabilities in their
> software, which I've informed them about. Which can be used for full
> compromise of the server and the network of those, who use IBM's software
> (as it was done during my pentest).
>
> After the fourth e-mail to IBM security department, when there were still
> no
> answers from them, I've resent the fourth letter to their support (hoping
> that they would be more serious). The support answered on the next day very
> funny, not the same lame as Cisco answered me in 2008 concerning
> vulnerabilities at their sites (which I considered as most lamest vendor
> response, much more then those nominees on Pwnie Awards), but still not
> serious enough. The letter was "standard one", that they are in receipt of
> my e-mail reporting and apologize for any inconvenience I may have
> experienced. When I've drew support's attention, that I've wrote already
> five letters to their security department (and just one sent to support)
> about multiple vulnerabilities in their software products and haven't
> received any answers from them, and I had "no issues with working with
> their software" (as he tried to state in his letter), then I've received
> another letter from other IBM employee, which wrote the same "standard
> phrases" and added that for informing about issues with software I can call
> them by phone :-). And already week after that there is still no answers
> from them (as it was predictable since 16.05). This is how IBM caring about
> security of their software, particularly Lotus Notes and Domino and Lotus
> Notes Traveler.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists