Dear DAN MORRILL, --Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx: DM> Good Morning, DM> I got the official notice from SPI Dynamics to day on this issue. I am in no DM> way slamming people at all, but the interesting response was inability to DM> reproduce the XAS issue. I was provided with additional information in response to your e-mail DM> At what point and how much support should the discoverer give to the DM> company? Usually when I have a bug report it is a full set of instructions DM> on exactly how to reproduce the issue, from OS, software running in DM> background, what I was clicking or typing at the time. DM> My question is that if we are submitting bug reports and POC code, just how DM> much information do we give to the vendor, especially if they say that they DM> can not reproduce it? If the vendor can not reproduce it, how much time and DM> support should the discoverer give them? -=-=-=-=-=-=- Sent: Wednesday, April 20, 2005 3:05 AM To: Sam Shober Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting (XAS) Inline. >Opening the scan data you sent on a default install of WebInspect 5.0.196 >shows how you are able to execute JavaScript in the report view and reload >the vulnerability.htm. It's ok. This is a task of the PoC. -=-=-=-=-=-=- Attached are PoCs and screenshots sent to vendor. I agree with reporter this information is 100% enough to demonstrate vulnerability. Should reporter also educate technical staff of the security product vendor, if he doesn't understand what is PoC, what is cross site scripting and what is impact it makes on security related product's security? -- ~/ZARAZA http://www.security.nnov.ru
Attachment:
wwwroot.zip
Description: Zip compressed data
Attachment:
aha.PNG
Description: PNG image
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/