[OWASP-South Africa] OWASP-SouthAfrica Digest, Vol 14, Issue 2

Steven steven.scheffler at gmail.com
Tue Feb 1 00:49:48 EST 2011


Thanks Dash,
i had similar experience with ISACA.org.za, besides the bug not being fixed.
I alerted them in 2008 about a bug which allows path traversal attacks and
bypass authentication and authorization to download paid content. I was a
bit annoyed not receiving a reply to my 2 follow up emails either, because
if they can't practice what they preach then the site looks more like a
money making scam, if you know what i mean :)

On Mon, Jan 31, 2011 at 9:26 PM, Dash Shendy <admin at dash.za.net> wrote:

>  In the case of not wanting anything else but the bug fixed,
> I would also like to add that the size and structure of the vulnerable
> organization also matters.
> Expect major delays (months, maybe years) with Institutions such as banks.
> Here's a time-line of a bug+fix in a popular South African Banking
> Institution:
>
>    - Bug first discovered circa ~2008
>    - Institution alerted officially July 2010 (Security Analyst working
>    for institution was alerted personally)
>    - More N More People Were Told About The Bug July-Oct
>    - Bug was fixed in Oct 2010
>
> But I guess you tell enough people in the end and someone will fix it:)
> Guess my 2c.
>   [image: Hacker Emblem] <http://catb.org/hacker-emblem/> *Dash Shendy*
> Coder/Pentester
> Security Analyst/Consultant
> URL : http://dash.za.net/
> SMTP: admin at dash.za.net
> VOIP: dashula2006
>
> On 1/31/2011 7:00 PM, owasp-southafrica-request at lists.owasp.org wrote:
>
> Send OWASP-SouthAfrica mailing list submissions to
> 	owasp-southafrica at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.owasp.org/mailman/listinfo/owasp-southafrica
> or, via email, send a message with subject or body 'help' to
> 	owasp-southafrica-request at lists.owasp.org
>
> You can reach the person managing the list at
> 	owasp-southafrica-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-SouthAfrica digest..."
>
>
> Today's Topics:
>
>    1. reporting vulnerabilities (Steven)
>    2. Re: reporting vulnerabilities (Haroon Meer)
>    3. Re: reporting vulnerabilities (daniel cuthbert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 31 Jan 2011 10:51:16 +0200
> From: Steven <steven.scheffler at gmail.com> <steven.scheffler at gmail.com>
> Subject: [OWASP-South Africa] reporting vulnerabilities
> To: owasp-southafrica at lists.owasp.org
> Message-ID:
> 	<AANLkTi=k=fOdhLstzC_iM+ALy_chgOAp-xgnaOgWS-ed at mail.gmail.com> <AANLkTi=k=fOdhLstzC_iM+ALy_chgOAp-xgnaOgWS-ed at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
> what is your experiences on reporting application/website vulnerabilities to
> local companies?
> Tx
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/owasp-southafrica/attachments/20110131/0a1ab6ba/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 31 Jan 2011 15:04:12 +0200
> From: Haroon Meer <haroon at thinkst.com> <haroon at thinkst.com>
> Subject: Re: [OWASP-South Africa] reporting vulnerabilities
> To: Steven <steven.scheffler at gmail.com> <steven.scheffler at gmail.com>
> Cc: owasp-southafrica at lists.owasp.org
> Message-ID:
> 	<AANLkTikrdbDi=1F6vBiPVwOK=aB_LRxEtcS1GfeBRJdM at mail.gmail.com> <AANLkTikrdbDi=1F6vBiPVwOK=aB_LRxEtcS1GfeBRJdM at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Steven.
>
> On Mon, Jan 31, 2011 at 10:51 AM, Steven <steven.scheffler at gmail.com> <steven.scheffler at gmail.com> wrote:
>
>  what is your experiences on reporting application/website vulnerabilities to
> local companies?
>
>  This comes up often enough, so I guess its worth a public reply.
> Personally, i have seldom found developers who truly do not care. I.e.
> most want to do good work, and a vulnerability is a bug most would
> rather fix. (They are generally (eventually) happier for knowing).
>
> (In my experience) If you want nothing out of the deal, all is good,
> and there is little problem. The issue gets slightly murkier when you
> actually want something from the deal. (Money, Fame, Follow Up
> consulting work, etc). In such cases things look like Blackmail very
> easily and you walk a fine line..
>
> If you want nothing from it, hedge your bets. An email from a hushmail
> account with sufficient details for them to fix the issue means that
> they will be able to communicate with you if they need clarification,
> without too much risk to you.
>
> If you plan to build a relationship, by saying "i do this for a
> living, look what i found", you need to be prepared to explain how/why
> you tested their site without permission and you need to be fully
> prepared to have them use the information without any benefit coming
> to you.
>
> 0.02c
>
> /mh
>
>
>
> _______________________________________________
> OWASP-SouthAfrica mailing list
> OWASP-SouthAfrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-southafrica/attachments/20110201/6025c2ee/attachment.html 


More information about the OWASP-SouthAfrica mailing list