RE: Developerstore.com expose critical customer info

From: sq (sqat_private)
Date: Fri Jan 11 2002 - 14:41:05 PST

Next message: Dug Song: "Re: RPC/TCP Record Marking for IDS Evasion"

Previous message: Blue Boar: "Re: Developerstore.com expose critical customer info"
Maybe in reply to: c c: "Developerstore.com expose critical customer info"
Next in thread: Blue Boar: "Re: Developerstore.com expose critical customer info"
Reply: Blue Boar: "Re: Developerstore.com expose critical customer info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> So, now you know, and no one but the poster, myself,
> and whoever else he told or figured it out on their own had a chance to
> exploit it.

It posted to webappsecat_private, and (probably) focus-msat_private yesteday (1/10)... so I suspect a lot of people knew.



> > http://developerstore.com/devstore/productSearch.asp?searchText=
> > |')%20union%20all%20select%201,name%20from%20sysobjects%20where%20
> > type='U'--
> 
> You'll notice that this doesn't work any more.  I did work just fine 
> when the note was sent to vuln-dev.  I purposely held this post
> while I contacted Microsoft, and they removed the script.
> 
> You're welcome to cry censorship, limited disclosure, hypocrisy, etc...
> The posts won't be let through to the list unless someone has something
> really useful to say.
> 
> This is in line with my policy for the list, as stated in administrivia
> notes.  In most cases, I will not allow a post that contains info on
> how to nail a unique site.  This is not the same as a client hole,
> or a service that many people run, or a CSS problem that user
> education can fix.  No one could have (legitimately) fixed that 
> hole except the webmaster for that site.  
> 
> If you have info on that site, and I allowed the post immediately, then
> you would have been screwed.  I might have info there, I really can't 
> remember.  Doesn't have anything to do with my decision, though.
> 
> I post the information now, because I think that despite the fact that 
> the problem is now gone, it is important to have a track record, so
> that you can be informed about the security of a site you might
> do business with.  So, now you know, and no one but the poster, myself,
> and whoever else he told or figured it out on their own had a chance to
> exploit it.
> 
> I will do this again in the future should it come up.  About the only
> time I won't hold the post is if the poster has admitted to breaking
> the law, i.e. if a site were defaced, and the attacker posts to the
> list with details of how they did it, that post is going right through.
> (Because if you give me the info, and I keep it to myself, then you've
> made me an accessory to the crime.)
> 
>      BB
> 
>

Next message: Dug Song: "Re: RPC/TCP Record Marking for IDS Evasion"
Previous message: Blue Boar: "Re: Developerstore.com expose critical customer info"
Maybe in reply to: c c: "Developerstore.com expose critical customer info"
Next in thread: Blue Boar: "Re: Developerstore.com expose critical customer info"
Reply: Blue Boar: "Re: Developerstore.com expose critical customer info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 15:32:59 PST