Ulf Härnhammar wrote:
> > I'm curious what reaction others have gotten from reporting problems?
> > I know some people will downplay even the most obviously critical holes,
> > and others will bend over backwards to fix a completely obscure and
> > unlikely hole - so it's probably only normal to expect a lot of
> > variation ..
>
> Depends on the individuals, yeah.
>
> When talking about obscure and unlikely vulns, here is a Debian advisory from
> elder days with the same type of GECOS bug that I just found in xshisen:
>
> http://www.debian.org/security/1997/19970220.en.html
>
> I used to audit lots of web applications a few years ago, and I remember that
> Albrecht from PHProjekt got really angry when I posted this:
>
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-04/0362..html
Local dot overflow. :)
Why did he get angry? Because you have informed him prior to
the advisory or because of its content?
> He had tried to cover up some of the issues by patching them but not including
> them in the ChangeLog!
How stupid. Won't work in the long term, we all know that.
> Sometimes when you audit web applications, the developers have never heard
> terms
> like Cross-site Scripting and SQL Injection before, so you might have to
> explain
Ack.
> stuff to them. All C programmers have at least heard of buffer overflows.
I doubt.
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
|
