[OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !

Apurv Anand apurv_anand at yahoo.com
Fri Jun 26 17:40:43 EDT 2009


Allright. My bad. I read Raxit's mail in a giffy. I was under the impression that he was talking about an application, and I would stand by my words if it was an application. But if it's a site we are talking about, yes, I hear what you are saying.

-apurv

--- On Fri, 6/26/09, Prashanth Sivarajan <prash.siv at gmail.com> wrote:

> From: Prashanth Sivarajan <prash.siv at gmail.com>
> Subject: Re: [OWASP-Bangalore] Why full/public disclosure of WebAppSechack/vulnerability !
> To: owasp-bangalore at lists.owasp.org
> Date: Friday, June 26, 2009, 9:52 PM
> U stole the words from my mouth
> Raxit. Exactly. Google has had an XSS vulnerability with
> multibyte chars if i am not wrong about a year back...did u
> know about it?
> Yahoo search has had a search redirection logic that
> could be used for phising. which also I presume from hte
> date of the blog, that it was a year back.
>  
> Disclaimer: I read about them in blogs and some books
> some time back. Can't give any references.
>  
> -Prashanth
> 
> On Fri, Jun 26, 2009 at 9:14 PM,
> Raxit Sheth <raxitsheth2000 at gmail.com>
> wrote:
> 
> 
> 
> 
> 
> On Fri, Jun 26, 2009 at 6:36 PM, Apurv
> Anand <apurv_anand at yahoo.com>
> wrote:
> 
> 
> Hi Prashanth,
> 
> It's important to talk about it so that the end user
> knows about the problem and would help them decide to
> upgrade the application or not. It at times is critical to
> know why an upgrade is essential. Either because of the new
> functionality or bug fixes 
> 
> 
> 
> It is not application it is website ! its not at all under
> user's control !  Disclosing one more vulnerabitliy of
> Gmail will help you in anyway (just for example !) ?  
> 
> 
> 
> 
> 
> (including security).
> 
> Here it’s not important "how" to exploit a
> vulnerability, but the awareness of the problem that
> exists.
> 
> 
> 
> thanks,
> apurv
> 
> 
> 
> --- On Fri, 6/26/09, Prashanth Sivarajan <prash.siv at gmail.com>
> wrote:
> 
> > From: Prashanth Sivarajan <prash.siv at gmail.com>
> 
> 
> > Subject: Re: [OWASP-Bangalore] Why full/public
> disclosure of WebAppSechack/vulnerability !
> > To: owasp-bangalore at lists.owasp.org
> > Date: Friday, June 26, 2009, 3:17 PM
> 
> 
> 
> 
> 
> > What he means is...Why talk about
> > a vulnerability that is already fixed....
> >  
> > We all learn from something that already happened. if
> > you see any security tutorial, They talk about how
> some
> 
> 
> > websites 'were' hacked they never teach you
> how to
> > hack.
> > Thats for you to figure out.
> >  
> > It is like reading the poems of other great poets to
> > get inspired and write your own.
> 
> 
> >
> >  
> > On Fri, Jun 26, 2009 at 12:23 PM,
> > Syed Mohamed A <SyedMA at microland.com>
> > wrote:
> >
> >
> >
> >
> > Send it to
> 
> 
> > security focus …
> > Regards
> > Syed Mohamed
> > A
> > AGM –
> > Security Services,
> > Microland
> > LTd
> > (Co-author
> > OWASP Guide, WASC Threat Classification, SANS Top 20)
> 
> 
> >
> >  
> >
> > From: owasp-bangalore-bounces at lists.owasp.org
> > [mailto:owasp-bangalore-bounces at lists.owasp.org]
> 
> 
> > On Behalf Of Raxit Sheth
> >
> >
> > Sent: Thursday, June 25, 2009 9:37 PM
> 
> > To: owasp-mumbai at lists.owasp.org;
> > owasp-bangalore at lists.owasp.org;
> 
> 
> > BarCampMumbai2; BarcampAhmedabad; barcampdelhi at googlegroups.com;
> 
> > bangalore_barcamp at yahoogroups.com;
> > null null
> >
> 
> > Subject: [OWASP-Bangalore] Why full/public
> > disclosure of WebAppSechack/vulnerability !
> 
> >
> >  
> > Hi Guys
> >
> >
> >
> >
> > On this sunday(21st jun 2k9), found few critical
> personal
> > data open on Outlook Money website  which i twitted
> After
> > it has been fixed etc.. [i.e. first it is fixed and
> then i
> 
> 
> > twitted !!! just to avoid any confusion.]
> >
> >
> >
> > Now i just wanted to know why to put disclosure or
> bring
> > this to public (After it has been fixed !) ?  [if
> they are
> > not fixing and to force them to fix, doing public
> disclsure
> 
> 
> > is fine ...But once they have done the fix... Should
> one ?]
> >
> >
> >
> >
> > Open for thoughts !
> >
> >
> >
> > -Raxit Sheth
> > www.m4mum.com
> 
> 
> > www.twitter.com/raxit
> >
> >
> >
> >
> 
> > The information transmitted is intended
> > only for the person or entity to which it is addressed
> and
> > may contain confidential and/or privileged material.
> > Any review, re-transmission, dissemination or other
> use of
> 
> 
> > or taking of any action in reliance upon,this
> information by
> > persons or entities other than the intended recipient
> is
> > prohibited.
> > If you received this in error, please contact the
> sender
> > and delete the material from your computer.
> 
> 
> > Microland takes all reasonable steps to ensure that
> its
> > electronic communications are free from viruses.
> > However, given Internet accessibility, the Company
> cannot
> > accept liability for any virus introduced by this
> e-mail or
> 
> 
> > any attachment and you are advised to use up-to-date
> virus
> > checking software.
> >
> > _______________________________________________
> 
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 
> 
> >
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> 
> 
> 
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 
> 
> >
> 
> 
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 
> 
> 
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> 
> 
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> 


      


More information about the OWASP-Bangalore mailing list