Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: About IBM
From: Ferenc Kovacs <tyra3l () gmail com>
Date: Mon, 28 May 2012 00:21:28 +0200

did you used the MustLive handle in your reports?
maybe they have some kind of mail filtering in place...

On Sun, May 27, 2012 at 10:51 PM, MustLive <mustlive () websecurity com ua>wrote:

Hello guys!

I have a question for you about IBM. Does anybody has successfully
contacted
them, when they officially answered and fixed vulnerabilities in their
software, since Leandro Meiners (since 2005)?

When I've informed them many times in 2006-2008 concerning multiple
vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored
and not fixed or some of them first ignored and later hiddenly fixed. But
it
were their sites and I was hoping that concerning their software products
they have different behavior.

But when last week, during 16.05-20.05, I've sent five advisories to IBM
concerning multiple vulnerabilities, which I have found (in May during
pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they
just ignored. So they've demonstrated the same behavior, as concerning
their web sites. And there are a lot of Cross-Site Scripting, Information
Leakage, Brute Force, Insufficient Authentication, Cross-Site Request
Forgery, Redirector and HTTP Response Splitting vulnerabilities in their
software, which I've informed them about. Which can be used for full
compromise of the server and the network of those, who use IBM's software
(as it was done during my pentest).

After the fourth e-mail to IBM security department, when there were still
no
answers from them, I've resent the fourth letter to their support (hoping
that they would be more serious). The support answered on the next day very
funny, not the same lame as Cisco answered me in 2008 concerning
vulnerabilities at their sites (which I considered as most lamest vendor
response, much more then those nominees on Pwnie Awards), but still not
serious enough. The letter was "standard one", that they are in receipt of
my e-mail reporting and apologize for any inconvenience I may have
experienced. When I've drew support's attention, that I've wrote already
five letters to their security department (and just one sent to support)
about multiple vulnerabilities in their software products and haven't
received any answers from them, and I had "no issues with working with
their software" (as he tried to state in his letter), then I've received
another letter from other IBM employee, which wrote the same "standard
phrases" and added that for informing about issues with software I can call
them by phone :-). And already week after that there is still no answers
from them (as it was predictable since 16.05). This is how IBM caring about
security of their software, particularly Lotus Notes and Domino and Lotus
Notes Traveler.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault