-
October 7th, 2002, 04:07 AM
#1
I found a 2 serious vulnerabilities!
Hey guys (and girls)!
Yeah i can hardly belive I did that but I found 2 serious vulnerabilities in a popular message board.
The first one allows D.O.S Against the forum, Other allows stealing user accounts.
I dont wanna give too much details and I really need a week or two to study the issue, but I want to know - what is the best way to publish these vulnerabilities?
What should I say to company who make this message board, how much time should I wait until I publish my information outside and which way is the best way to do that?
p.s. I didnt see "general security" forum so i made the thread here.
-
October 7th, 2002, 04:41 AM
#2
Why would you "publish the information outside" ? just send an anonymous email to the admin...
\"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
-Bad Religion
-
October 7th, 2002, 05:13 AM
#3
http://www.wiretrip.net/rfp/policy.html
This was a policy written by RainForestPuppy talking about full disclosure and the proper way to do it.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
October 7th, 2002, 05:37 AM
#4
i don't think he's saying he discovered some new general vulnerability. I think he's talking about a specific instance on a specific host. THAT should never be publicized, not at least until it is patched....
\"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
-Bad Religion
-
October 7th, 2002, 05:54 AM
#5
Well, it IS a new general vulnerability, its not just on a specific host. And why i want to publish what I found? because :
a) i want people to fix it, instead of using a software that can be exploited.
b) i want credit for what i found.
And yeah, I will message the people who made this message board and tell them theres a problem with it before Ill publish what I found, I just wanted to know how exactly should I do that.
-
October 7th, 2002, 09:34 AM
#6
STeRoiD, If you would like to recieve credit for what you've found, I think the only way is that you should find a big software compony and sell it to them and they can make a fix for it , but if you publish it by your own, then I don't think of any credit. This is just an oponion, may be wrong.
Cheers
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
- Albert Einstein
-
October 7th, 2002, 11:21 AM
#7
My guess would be to send an email to the admin(s) or creators of the software, explain to them how it can be exploited, and if you can, offer a patch. That would be my best guess.
-
August 15th, 2003, 02:46 PM
#8
doktorf00bar, cool nickname.
Mailing the webmaster is the best, I do it pretty often, check sites for holes and mail the webmaster about them+the solution, they appreciate it when you care about their site.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
August 15th, 2003, 07:55 PM
#9
el-half,
You may want to look at the post dates before posting to the thread. In this case, they are from October of 2002. By definition, this is a dead thread.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|