I found a 2 serious vulnerabilities!

Printable View

October 7th, 2002, 04:07 AM
STeRoiD

I found a 2 serious vulnerabilities!

Hey guys (and girls)!
Yeah i can hardly belive I did that :) but I found 2 serious vulnerabilities in a popular message board.

The first one allows D.O.S Against the forum, Other allows stealing user accounts.

I dont wanna give too much details and I really need a week or two to study the issue, but I want to know - what is the best way to publish these vulnerabilities?

What should I say to company who make this message board, how much time should I wait until I publish my information outside and which way is the best way to do that?

p.s. I didnt see "general security" forum so i made the thread here.
October 7th, 2002, 04:41 AM
doktorf00bar

Why would you "publish the information outside" ? just send an anonymous email to the admin...
October 7th, 2002, 05:13 AM
souleman

http://www.wiretrip.net/rfp/policy.html

This was a policy written by RainForestPuppy talking about full disclosure and the proper way to do it.
October 7th, 2002, 05:37 AM
doktorf00bar

i don't think he's saying he discovered some new general vulnerability. I think he's talking about a specific instance on a specific host. THAT should never be publicized, not at least until it is patched....
October 7th, 2002, 05:54 AM
STeRoiD

Well, it IS a new general vulnerability, its not just on a specific host. And why i want to publish what I found? because :
a) i want people to fix it, instead of using a software that can be exploited.
b) i want credit for what i found.

And yeah, I will message the people who made this message board and tell them theres a problem with it before Ill publish what I found, I just wanted to know how exactly should I do that.
October 7th, 2002, 09:34 AM
Unl3Ashed

STeRoiD, If you would like to recieve credit for what you've found, I think the only way is that you should find a big software compony and sell it to them and they can make a fix for it , but if you publish it by your own, then I don't think of any credit. This is just an oponion, may be wrong.

Cheers
October 7th, 2002, 11:21 AM
Common_Exploit

My guess would be to send an email to the admin(s) or creators of the software, explain to them how it can be exploited, and if you can, offer a patch. That would be my best guess.
August 15th, 2003, 02:46 PM
el-half

doktorf00bar, cool nickname.
Mailing the webmaster is the best, I do it pretty often, check sites for holes and mail the webmaster about them+the solution, they appreciate it when you care about their site.
August 15th, 2003, 07:55 PM
thehorse13

el-half,

You may want to look at the post dates before posting to the thread. In this case, they are from October of 2002. By definition, this is a dead thread.

:)

--TH13