| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Dec 2014 09:13:48 +0000 From: Gynvael Coldwind <gynvael@...dwind.pl> To: Shahar Tal <shahartal@...ckpoint.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] The Misfortune Cookie Vulnerability > > We call it "Misfortune Cookie" over the affected vulnerable HTTP cookie > parsing module, but MITRE insists on CVE-2014-9222 > To be honest I'm getting rather annoyed by how Check Point is (mis)handling this vulnerability. I mean, there is already a "cool marketing name", there is a website dedicated to it, there is already this huge FAQ not answering the basic questions, etc. But there is no information on it except for "vulnerability in the Cookie parsing module of these SOHO". Seriously, if you can't disclose the vulnerability yet, please don't spam with its marketing materials. Last I checked "full disclosure" was actually about disclosing technical information and not passing links to marketing sites. Otherwise, please provide basic information as a technical description of the vulnerability (which allows reproduction) or a PoC to test whether a given device is vulnerable. Please note that you've already given enough information for the attackers to just find the vulnerability (as in "please reverse engineer the cookie parsing in this model"), so you're not doing anyone a favor by trying to play it out like this. Regards, -- Gynvael _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists