Hi. What happens? : 1) I sent a e-mail to microsoft. Date: Wed, 9 Jan 2002 12:24:52 -0800 (PST) From: "c c" <cesarc56at_private> Subject: Critical Security problem in Developerstore.com To: secureat_private Hi. The site Developerstore.com expose critical customer information, this happen because it's doesn't check user inputs, allowing sql inyection and cross site scripting. Regards. Cesar Cerrudo. 2) They answer (it seems an auto response, i don't know): Date: Wed, 9 Jan 2002 12:50:44 -0800 From: "Microsoft Security Response Center" <secureat_private> To: "c c" <cesarc56at_private> Cc: "Microsoft Security Response Center" <secureat_private> Hi Cesar, Thank you very much for contacting us and for letting us know about the CSS situation - we really appreciate it! I will let the dev teams know so that they can fix it. Again, thanks for your feedback. Kind regards, secureat_private 3) Next day i check the site and they didn't have fix it, so then i post : Date: Thu, 10 Jan 2002 07:30:57 -0800 (PST) From: "c c" <cesarc56at_private> Subject: Developerstore.com expose critical customer info To: webappsecat_private, focus-msat_private 4)webappsecat_private publish the post. The focus-msat_private moderator tell me : Hi, Can you post this to Bugtraq instead? It's a more appropriate forum for this sort of thing. Cheers, Marc Fossi, MCSE i mistake, so i decided post to vuln-devat_private 5)Blue Boar held the post, he contacted Microsoft, and they removed the script. They take the entire site down!. Why i did the post?: It was a critical hole. It took me 10 seconds to find it. And it would take 10 or more seconds to fix it. I contacted microsoft and more than 12 hours later they haven't fix it. What i were suposed to did? Wait days, months maybe years until microsoft fix it. And in that time the site will continue exposing customer info. I think that i could get what i want : the site fixed quickly, that was all i wanted!. Maybe some people are more quite when they don't know that this kind of holes exist and they are activily exploited. I think that microsoft or the company responsable never say "we are sorry, it was our mistake, we only want your money and quickly, we haven't time to do that, where do you want to go tomorrow?", instead of that they try to focus the atention in other direccion confusing people. We have to see only the facts and get our own conclusions. It seems that the post cause some undesired efects (Websleuth removed from OWASP, etc.), i'm really sorry it was not my intention. Sorry if you don't understand what i tried to say, english it's not my native language. Regards. Cesar Cerrudo. Parana, Entre Rios. Argentina. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 09:55:24 PST