jelmer kuperus Hace 11 años Making a distinction between critical (sev-1) and non critical (sev-2) issues and choosing only to address only the critical issues is misguided. Attackers often stack less critical vulnerabilities in order to get an effect that is greater than the sum of it's partsSay a hacker want's to break into bignasdaqcompany.com This person might use this vulnerability to find out the email address of one of the users : http://archive.cert.uni-stuttgart.de/bugtraq/2012/05/msg00080.htmlHe or she could then send an email to this person that somehow triggers the victim to click a link. The site the user would visit would be under the attackers control and would could use http://seclists.org/bugtraq/2012/May/79 to get the cookie of that userIf that user. If he or she chose to save their password. This would guarantee the attacker access. If the user that took the bait was an administrator, well then this evil hacker would be in. If not the attacker could take advantage of http://archive.cert.uni-stuttgart.de/bugtraq/2012/05/msg00067.html to get elevated privileges. Maybe he adds himself to the board organisation which might give him access to all sorts of sensitive data.It can be argued that none of the 3 vulnerabilities i mentioned are *that* dangerous in their own right. But together they make for a pretty compelling scenario, don't you agree ? Por favor identifíquese para votar. Contestar como... Cancelar
jelmer kuperus Hace 11 años Also CST-SA: LPS-26935 is woefully misrepresenting the issue. The problem is not that json webservices are enabled by default. It can be argued that they always have been, and still are. via the old /c/portal/json_service interfaceThe problem was insufficient permission checking in the add user mechanism. Por favor identifíquese para votar. Contestar como... Cancelar James Falkner jelmer kuperus Hace 11 años Hey Jelmer, these are very good points - I do believe there is value in distinguishing between severity levels (I'm not sure if you're saying that is misguided, or that it is misguided that the CST is only choosing to do the most severe). On the latter - it's not that the CST refuses to do sev-2's, it's just a matter of resources and having to choose what to do first, for the most bang for the buck, so I'll go back and clean up the places where it sounds like we definitely will never do sev-2's. I think we should do them if possible. Agree with your chaining example as well. Cheers! Por favor identifíquese para votar. Contestar como... Cancelar
James Falkner jelmer kuperus Hace 11 años Hey Jelmer, these are very good points - I do believe there is value in distinguishing between severity levels (I'm not sure if you're saying that is misguided, or that it is misguided that the CST is only choosing to do the most severe). On the latter - it's not that the CST refuses to do sev-2's, it's just a matter of resources and having to choose what to do first, for the most bang for the buck, so I'll go back and clean up the places where it sounds like we definitely will never do sev-2's. I think we should do them if possible. Agree with your chaining example as well. Cheers! Por favor identifíquese para votar. Contestar como... Cancelar
jelmer kuperus Hace 11 años Just an observation but how do you think people will perceive the security of your project if you claim that with a team of 5 people you still don't have enough resources to fix all security vulnerabilities reported Por favor identifíquese para votar. Contestar como... Cancelar
J. N. Hace 11 años A new security team? does that mean in the nexts few days we will get a general security plugin that enables a general access-control to provide a kind of "maintenance mode"? or does it already exists and I just could not find it? Por favor identifíquese para votar. Contestar como... Cancelar James Falkner J. N. Hace 11 años J.N. No, the security team won't be producing any plugins, though it sounds like an interesting idea. Por favor identifíquese para votar. Contestar como... Cancelar
James Falkner J. N. Hace 11 años J.N. No, the security team won't be producing any plugins, though it sounds like an interesting idea. Por favor identifíquese para votar. Contestar como... Cancelar