> So, now you know, and no one but the poster, myself, > and whoever else he told or figured it out on their own had a chance to > exploit it. It posted to webappsecat_private, and (probably) focus-msat_private yesteday (1/10)... so I suspect a lot of people knew. > > http://developerstore.com/devstore/productSearch.asp?searchText= > > |')%20union%20all%20select%201,name%20from%20sysobjects%20where%20 > > type='U'-- > > You'll notice that this doesn't work any more. I did work just fine > when the note was sent to vuln-dev. I purposely held this post > while I contacted Microsoft, and they removed the script. > > You're welcome to cry censorship, limited disclosure, hypocrisy, etc... > The posts won't be let through to the list unless someone has something > really useful to say. > > This is in line with my policy for the list, as stated in administrivia > notes. In most cases, I will not allow a post that contains info on > how to nail a unique site. This is not the same as a client hole, > or a service that many people run, or a CSS problem that user > education can fix. No one could have (legitimately) fixed that > hole except the webmaster for that site. > > If you have info on that site, and I allowed the post immediately, then > you would have been screwed. I might have info there, I really can't > remember. Doesn't have anything to do with my decision, though. > > I post the information now, because I think that despite the fact that > the problem is now gone, it is important to have a track record, so > that you can be informed about the security of a site you might > do business with. So, now you know, and no one but the poster, myself, > and whoever else he told or figured it out on their own had a chance to > exploit it. > > I will do this again in the future should it come up. About the only > time I won't hold the post is if the poster has admitted to breaking > the law, i.e. if a site were defaced, and the attacker posts to the > list with details of how they did it, that post is going right through. > (Because if you give me the info, and I keep it to myself, then you've > made me an accessory to the crime.) > > BB > >
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 15:32:59 PST