DISQUS

I notified a website back in October that they had multiple serious security flaws. Including some really stupid ones -- among them, "authentication" resulted in you getting a cookie set to your username -- change the cookie, become another user.

Their response was along the lines of "oops, yeah, we should totally fix that!". I followed up two months later, never heard back and forgot about it until now. Checked again, and they're still vulnerable.

*sigh*

Sorry to post on an old thread, but anybody know how this might work?

http://www.subrosasoft.com/OSXSoftware/index.ph...

They seem to think they've got a way to get access to all the keychain passwords and it doesn't look like they're hijacking the individual applications. They also claim it's forensically sound, though that seems... well, patently false since the very fact of mounting the usb drive modifies the system, but I'll save that for the forensic experts to argue.

It seems like the the advanced no plugins, no java, and no flash options in noscript would be preventative enough. Whether it's an embedded quicktime object or embedded java applet, both are blocked by a recent noscript with those options on.

Since outgoing trackbacks aren't apparently working for me right now, I'll just manually link to my post. Of course, I needn't have bothered based on everybody else commenting here making much of the same points. I think the bottom line I agree with most strongly is Thomas' last comment -- end users might not care what Open Source is or isn't, but the folks that you'd presumably most want to be involved with a project like this most certainly do.

http://www.networkcomputing.com/blog/dailyblog/...

Sorry Alan, I'm not trying to add to the... uhh, fecal weather patterns... you're experiencing, and though I was originally really intrigued with Cobia, finally paying attention to the details of the license was disappointing compared to what I was expecting with all the hoopla about open source. I'm obviously not the only one.

@Ivan: I suppose "screwed Core" wasn't quite the best way to put it. Mainly, it looks like they were "operating outside of the best practices for responsible disclosure" with you guys. There, is that summary pablum enough for everyone? ;-)

I realize that most disclosures happen at a much slower rate and with less communication than this one (my final note in my blog entry was that the OpenBSD guys fixed it really quite rapidly, all things considered), but I think we can hold them to a higher standard and expect much more than just a little better than average, much like Dave G. points out.

If OpenBSD wants to be the paragon of security best practices (and hey, they're probably closer than anybody else), that includes coordinating with bug reporters better, and most definitely includes (as you point out) erroring on the side of caution and treating a remote kernel DoS as a serious security issue, whether or not you call it a vulnerability, and whether or not you can immediately identify it as remote code execution exploitable.

All-in-all, they needed to step up to the plate and handle this one better.

Not only that, but it looks like they screwed Core over on the release of the announcement too, not coordinating so the vulnerability announcement could go out with patches. I blogged it a bit here:

http://networkcomputing.com/blog/dailyblog/arch...

Great writeup, Thomas. If I thought I could get away with it, I'd use web pester and web pesting in an article I'm writing now on webapp scanners.

One minor nitpick -- I'd suggest that methodology is crucial for web pentesting as well. In fact, I think it's even more crucial than network pentesting.

Mainly because a big web app actually has a much bigger attack surface area that has to be mapped out than your average network (assuming we're discounting web-apps from the network segment), and the details of that surface area are theoretically totally new to you each time. There are so many nooks and crannies that it's really important to have a good methodology to be repeatable and thorough. Of course, you need experience as well, I definitely agree with that.