> http://developerstore.com/devstore/productSearch.asp?searchText= > |')%20union%20all%20select%201,name%20from%20sysobjects%20where%20 > type='U'-- You'll notice that this doesn't work any more. I did work just fine when the note was sent to vuln-dev. I purposely held this post while I contacted Microsoft, and they removed the script. You're welcome to cry censorship, limited disclosure, hypocrisy, etc... The posts won't be let through to the list unless someone has something really useful to say. This is in line with my policy for the list, as stated in administrivia notes. In most cases, I will not allow a post that contains info on how to nail a unique site. This is not the same as a client hole, or a service that many people run, or a CSS problem that user education can fix. No one could have (legitimately) fixed that hole except the webmaster for that site. If you have info on that site, and I allowed the post immediately, then you would have been screwed. I might have info there, I really can't remember. Doesn't have anything to do with my decision, though. I post the information now, because I think that despite the fact that the problem is now gone, it is important to have a track record, so that you can be informed about the security of a site you might do business with. So, now you know, and no one but the poster, myself, and whoever else he told or figured it out on their own had a chance to exploit it. I will do this again in the future should it come up. About the only time I won't hold the post is if the poster has admitted to breaking the law, i.e. if a site were defaced, and the attacker posts to the list with details of how they did it, that post is going right through. (Because if you give me the info, and I keep it to myself, then you've made me an accessory to the crime.) BB
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 12:08:25 PST