[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] security etiquette?

From: solutions_PHP <support@xxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] security etiquette?
Date: Wed, 03 May 2006 08:30:17 -0700

Hello--

I'm hoping to be enlightened about proper security etiquette. Here's the scenario:

A website that I have worked on has a PHP application installed that apparently has a severe unpatched security vulnerability. I learned about this in a forum. I've done some web searching but haven't managed to find any further details. This is a pretty popular application that's installed on thousands of sites. It is not open source. Problem is, not only has the software vendor not acknowledged this supposed issue, but apparently they remove posts from their support forum that relate to the problem. They also won't reply to emails about the issue. Some web hosts are now disallowing the installation of this app on their servers.

I am not aware of the exact nature of the vulnerability. I'm also not an expert at security auditing. I therefore have nothing concrete to report to a site like securitytracker.com, and wouldn't embark on an audit without hiring a specialist.

One way around this would be for me to advise the company using the software to find an alternative. (After all, who wants to deal with a company that behaves like this?) But again, I think I would need something more concrete than a forum mention of a possible hole.

Since the software vendor won't address this, I'm wondering: do security researchers take requests? :)

What would be the proper course of action (if any) to help get this resolved for all users of this software?

Thank you in advance, all comments appreciated!

cheers
SAM :)

--
Sam Stevens, solutions_PHP
http://www.solutionsphp.com/
Open source? Of course!

phpdirectory - a coder's arsenal
http://www.phpdirectory.com/

**************************************************
Tired of sifting through all that SPAM? We recommend using
MailWasher, an excellent tool for socking it to spammers.
Download a free trial:
http://fta.firetrust.com/index.cgi?id=5966&page=1
**************************************************

IMPORTANT - CONFIDENTIAL INFORMATION
Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or
responsible for delivery of the message to such person), you may not
copy or deliver this message to anyone. In such case, you should
destroy this message and kindly notify the sender by reply email.

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] security etiquette?
  - From: Carl Jongsma

Prev by Date: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Next by Date: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Previous by thread: [WEB SECURITY] Dynamic Evaluation Vulnerabilities in PHP applications
Next by thread: Re: [WEB SECURITY] security etiquette?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site