[OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !

Prashanth Sivarajan prash.siv at gmail.com
Fri Jun 26 11:52:40 EDT 2009


U stole the words from my mouth Raxit. Exactly. Google has had an XSS
vulnerability with multibyte chars if i am not wrong about a year back...did
u know about it?
Yahoo search has had a search redirection logic that could be used for
phising. which also I presume from hte date of the blog, that it was a year
back.

Disclaimer: I read about them in blogs and some books some time back. Can't
give any references.

-Prashanth
On Fri, Jun 26, 2009 at 9:14 PM, Raxit Sheth <raxitsheth2000 at gmail.com>wrote:

>
>
>  On Fri, Jun 26, 2009 at 6:36 PM, Apurv Anand <apurv_anand at yahoo.com>wrote:
>
>>
>> Hi Prashanth,
>>
>> It's important to talk about it so that the end user knows about the
>> problem and would help them decide to upgrade the application or not. It at
>> times is critical to know why an upgrade is essential. Either because of the
>> new functionality or bug fixes
>
>
> It is not application it is website ! its not at all under user's control
> !  Disclosing one more vulnerabitliy of Gmail will help you in anyway (just
> for example !) ?
>
>   (including security).
>>
>> Here it’s not important "how" to exploit a vulnerability, but the
>> awareness of the problem that exists.
>>
>> thanks,
>> apurv
>>
>>
>>
>> --- On Fri, 6/26/09, Prashanth Sivarajan <prash.siv at gmail.com> wrote:
>>
>> > From: Prashanth Sivarajan <prash.siv at gmail.com>
>> > Subject: Re: [OWASP-Bangalore] Why full/public disclosure of
>> WebAppSechack/vulnerability !
>> > To: owasp-bangalore at lists.owasp.org
>> > Date: Friday, June 26, 2009, 3:17 PM
>>  > What he means is...Why talk about
>> > a vulnerability that is already fixed....
>> >
>> > We all learn from something that already happened. if
>> > you see any security tutorial, They talk about how some
>> > websites 'were' hacked they never teach you how to
>> > hack.
>> > Thats for you to figure out.
>> >
>> > It is like reading the poems of other great poets to
>> > get inspired and write your own.
>> >
>> >
>> > On Fri, Jun 26, 2009 at 12:23 PM,
>> > Syed Mohamed A <SyedMA at microland.com>
>> > wrote:
>> >
>> >
>> >
>> >
>> > Send it to
>> > security focus …
>> > Regards
>> > Syed Mohamed
>> > A
>> > AGM –
>> > Security Services,
>> > Microland
>> > LTd
>> > (Co-author
>> > OWASP Guide, WASC Threat Classification, SANS Top 20)
>> >
>> >
>> >
>> > From: owasp-bangalore-bounces at lists.owasp.org
>> > [mailto:owasp-bangalore-bounces at lists.owasp.org]
>> > On Behalf Of Raxit Sheth
>> >
>> >
>> > Sent: Thursday, June 25, 2009 9:37 PM
>> > To: owasp-mumbai at lists.owasp.org;
>> > owasp-bangalore at lists.owasp.org;
>> > BarCampMumbai2; BarcampAhmedabad; barcampdelhi at googlegroups.com;
>> > bangalore_barcamp at yahoogroups.com;
>> > null null
>> >
>> > Subject: [OWASP-Bangalore] Why full/public
>> > disclosure of WebAppSechack/vulnerability !
>> >
>> >
>> > Hi Guys
>> >
>> >
>> >
>> >
>> > On this sunday(21st jun 2k9), found few critical personal
>> > data open on Outlook Money website  which i twitted After
>> > it has been fixed etc.. [i.e. first it is fixed and then i
>> > twitted !!! just to avoid any confusion.]
>> >
>> >
>> >
>> > Now i just wanted to know why to put disclosure or bring
>> > this to public (After it has been fixed !) ?  [if they are
>> > not fixing and to force them to fix, doing public disclsure
>> > is fine ...But once they have done the fix... Should one ?]
>> >
>> >
>> >
>> >
>> > Open for thoughts !
>> >
>> >
>> >
>> > -Raxit Sheth
>> > www.m4mum.com
>> > www.twitter.com/raxit
>> >
>> >
>> >
>> >
>> > The information transmitted is intended
>> > only for the person or entity to which it is addressed and
>> > may contain confidential and/or privileged material.
>> > Any review, re-transmission, dissemination or other use of
>> > or taking of any action in reliance upon,this information by
>> > persons or entities other than the intended recipient is
>> > prohibited.
>> > If you received this in error, please contact the sender
>> > and delete the material from your computer.
>> > Microland takes all reasonable steps to ensure that its
>> > electronic communications are free from viruses.
>> > However, given Internet accessibility, the Company cannot
>> > accept liability for any virus introduced by this e-mail or
>> > any attachment and you are advised to use up-to-date virus
>> > checking software.
>> >
>> > _______________________________________________
>> > OWASP-Bangalore mailing list
>> > OWASP-Bangalore at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >
>> >
>> >
>> >
>> >
>> >
>> > -----Inline Attachment Follows-----
>>  >
>> > _______________________________________________
>> > OWASP-Bangalore mailing list
>> > OWASP-Bangalore at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >
>>
>>
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090626/cd73435d/attachment-0001.html 


More information about the OWASP-Bangalore mailing list